daemon,debian: add PolicyKit support to snapd

[robert-ancell]

Use PolicyKit to authorize write access on the the snapd interface.

[snappy-m-o]

Can one of the admins verify this patch?

[robert-ancell]

The parts of this patch I'm not 100% sure about:

• CheckAuthorization() will block while a dialog is shown until the user provides a response. I don't know the snapd/go threading/loop model so I'm not sure if this will block up the snapd process or not. We can do this async with libsystemd if necessary, but again not sure how that interacts with the snapd threading model.
• I created a policy for each path - this may not be an appropriate granularity.
• We could (should?) also use policy for read actions. However this would mean if PolicyKit is not present only root works - is that fine?
• The way the credentials are converted into a string is... interesting. I hope I've done the right thing shoehorning a new variable in there.
• The C code is just thrown in daemon.go. I'm guessing it should probably be in a separate policykit.go - please let me know if so and what form it should take.
• Is using the C code for libsystemd correct or should I be using godbus instead?

[zyga]

Personally I'd prefer to have a few documented constants that are referenced from all the Command objects.

[robert-ancell]

Fixed.

[zyga]

I'd use i >= 0 although here it makes little difference.

[chipaca]

@zyga there's no valid line with i < 2 anyway.

[robert-ancell]

It has to be i > 0 otherwise the following line will fail:
if (line[i] != ')')

[zyga]

Could all of this hand-crafted manipulation be replaced by strtok_r()?

[robert-ancell]

strrchr? Yes. I think initially I was using that and it had too much pointer arithmetic but it looks better now.

[robert-ancell]

Fixed.

[zyga]

"canAccess %s %d %d %q"

[robert-ancell]

Fixed.

[zyga]

Personally I'd replace all of the parsing below with a simple generic (and easier to verify) code that splits elements on ';' and then parses each as a key=value. Then the code below could just look up the key uid or pid, convert it to a number and do what it has to do.

Specifically, I'd use: https://golang.org/pkg/strings/#Split

[robert-ancell]

Fixed.

[zyga]

What does it mean to "service" a snap?

[robert-ancell]

I don't know - I added policy for all the write operations. I don't know what service means exactly for a snap - ideas for better names welcome.

[zyga]

A few comments below but nothing terrible. I would love to see a check that this still builds and works fine on architectures which build go with gccgo as we had a few quirks around C interactions there.

[niemeyer]

Before reviewing this, can we have some more context for the proposal? This is likely a good idea, but it's not yet clear if it is a good idea right now.

[chipaca]

There doesn't seem to be a manpage for sd_bus_close, does it also do sd_bus_unref?

[zyga]

There is sd_bus *sd_bus_unref(sd_bus *bus);

[robert-ancell]

Fixed.

[robert-ancell]

@niemeyer the purpose of this change is to allow non-root users to install and remove snaps if the system policy allows. For example, a GUI application.

[niemeyer]

Okay, let's catch up live somewhere to discuss details of this work.

[elopio]

@robert-ancell and we need a user test for this. Talk to me or @fgimenez if you need a hand with this.

[sergiusens]

sideload these days means install from somewhere different than the store and provide all the required assertions. I think you are referring to developer snaps here, right?

[robert-ancell]

I just copied the associated method name sideloadSnap() - if there's a more appropriate name then happy to switch to that.

[mvo5]

I close this pull-request temporarily because we discussed various options at the recent sprint in SC and its not clear that this branch is the one we need.