cmd/{snap-seccomp,snap-confine-ns},osutil,interfaces/account_control: workaround unit test failures on Arch

[bboozzoo]

There is no 'shadow' group in ArchLinux, what causes a failure in cmd/snap-seccomp.TestCompile. Try to workaround the problem by looking at owning gid of /etc/shadow and figuring out the corresponding group name based on this.

As a side effect, a helper for looking up group name by gid was added. The implementation is based on similar code in https://tip.golang.org/src/os/user/cgo_lookup_unix.go

@zyga can you take a look?

[zyga]

Thank you for attacking this problem.

Some low and high level comments inline.

[zyga]

Why not just os.Stat?

[bboozzoo]

os.Stat does not carry any group information I'm afraid.

[zyga]

I think we could twist this test a little by just stating /etc/shadow unconditionally and using whatever the group there for the rest of the code below. Alternatively use something that works on Arch as well and just carry on.

The real problem is in the account_control interface which grants fchown to u:root and g:shadow. This will fail at runtime and needs to be fixed to grant the actual group owner of /etc/shadow

[bboozzoo]

Agreed, skipping the fallback and doing stat() unconditionally will make the code easier. I'll amend the PR.

[codecov-io]

Codecov Report

Merging #4135 into master will increase coverage by 0.14%.
The diff coverage is 75.18%.

@@            Coverage Diff             @@
##           master    #4135      +/-   ##
==========================================
+ Coverage   75.52%   75.67%   +0.14%     
==========================================
  Files         436      437       +1     
  Lines       37811    37870      +59     
==========================================
+ Hits        28558    28657      +99     
+ Misses       7256     7209      -47     
- Partials     1997     2004       +7

Impacted Files	Coverage Δ
osutil/group.go	77.77% <100%> (+77.77%)	⬆️
osutil/cgo_group.go	69.66% <69.66%> (ø)
interfaces/builtin/account_control.go	80% <78.57%> (-20%)	⬇️
overlord/ifacestate/helpers.go	60.26% <0%> (+0.66%)	⬆️
cmd/snap/cmd_aliases.go	95% <0%> (+1.66%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 47ceab8...0c6deba. Read the comment docs.

[bboozzoo]

Added one last patch to workaround missing 'nogroup' and rebased on top of c6d0682

[chipaca]

Looks good; some nits

[chipaca]

could we take this one step further and pull in the Group type?

[bboozzoo]

you mean this one?

// from https://golang.org/src/os/user/user.go
type Group struct {
	Gid  string // group ID
	Name string // group name
}

[chipaca]

yes

[bboozzoo]

I pulled in os/user.Group as suggested. FindGroupOwning() was updated to return *Group, error, other calls were returning either gid or name, so I left those intact.

[chipaca]

I suspect this comment does not apply

[bboozzoo]

yup, thanks for spotting this

[chipaca]

"cannot lookup group %d: %v" or somesuch (key being the starting with "cannot")

[chipaca]

errors should usually start with a cannot <do this thing you asked me to do>

[bboozzoo]

updated both messages

[chipaca]

FindGroup

[bboozzoo]

fixed

[mvo5]

Thanks for working on this. Two suggestions for missing tests otherwise very nice.

[mvo5]

Nice!

[mvo5]

Can we write tests for this? A simple smoke test based on the local user or something?

[zyga]

Ha, the reason this started was that there's just nothing sane about groups across systems.

Still +1 on a test.

[bboozzoo]

Added some tests to cover find group ID/name and group owning a particular file.

[mvo5]

And this as well? Again, something simple is enough for me. E.g. create a file, ensure its the group of the user running the test and call this helper or something like this?

[bboozzoo]

tests/main/static fails, because snapd can no longer be built with CGO_ENABLED=0. This is perhaps something worth discussing on the forums/IRC. Disabling cgo only works as long as you don't need cgo. In our case, we actually need it because of calls to getgrgid_r. When building with cgo disabled, Go toolchain was so nice to silently skip building osutil/group.go without a single word of warning only to producing uninformative interfaces/builtin/account_control.go:84:16: undefined: osutil.FindGroupOwning.

I will update the test to use -ldflags '-extldflags "-static"', but it's only half of solution. We need to decide which binaries must be built statically and which do not. As I understand, snap-seccomp, snap-exec, snap-update-ns are candidates. Out of these 3, snap-seccomp is a problem on Arch, as libseccomp is only avaialble as *.so. Given this, maybe tests/main/static doesn't even make sense.

Thoughts?

[zyga]

@bboozzoo to expand on the which binaries need to be statically linked. This is a bit more subtle and complex. The Ubuntu 16.04 build is special as it is used to construct the core snap which is participating in re-execution in many places.

On Arch we don't really need to link anything statically until we are ready to use base snaps where the base snap transition in the execution environment will pose a problem. At that time we should be able to use snapd from core so again, we don't really strongly need that.

[chipaca]

Loos good! Just minor nits.

If I make the same point twice below you'll know github is weird(er).

[chipaca]

this is usually written

c.Assert(err, IsNil)
c.Check(...)

[chipaca]

in general you'd use Assert on errors, unless the error doesn't affect the rest of the test; here I think it very much does

[chipaca]

and here, c.Assert(err, IsNil) and you can do away with the if

[bboozzoo]

Do we need another round of reviews or is this good to be merged now?

[zyga]

I'll do second review shortly (just woke up)

[mvo5]

This looks very nice, thanks for doing these fixes. I have some nitpick comments inside about conventions/style etc. Please check them out but I'm fine merging this and doing the style fixes in a followup.

[mvo5]

(nitpick) Maybe expand the comment a tiny bit? Something like: try to find a suitable 'nogroup' like group, e.g. arch uses "nobody"

[mvo5]

(nitpick) we don't need the } else { here our convention is like: foo, err := thing()\n if err != nil {return err}\nuse(thing). So something like the lines below will be more idiomatic for our code base:

        snippet, err := makeAccountControlSecCompSnippet()
        if err != nil {
		return err
	}
	spec.AddSnippet(snippet)
	return nil

is fine.

[mvo5]

(nitpick) we use a slightly different pattern when writing (most) unit tests. The package is called foo_test instead of foo which forces to use only the public interfaces of the thing that gets tested. This is similar to what the go upstream source is using. If internal access is needed we use a export_test.go file that is part of package "foo" to only export things for tests. For this particular test changes should be minimal as it is only testing public functions. So just renaming the package from osutil to osutil_test should be enough (plus import of osutil and prefixing the methods).

[mvo5]

(nitpick^2) empty structs are mostly written type groupSuite struct {}, i.e. no extra newline. We don't always follow that rule but mostly :)

[mvo5]

Thanks for adding those tests!

[bboozzoo]

Merge? (once the tests are green)

[chipaca]

once green, go for it

[bboozzoo]

Interesting, travis failed with:

2017-11-08 12:33:57 Failed tasks: 1
    - linode:ubuntu-core-16-64:tests/main/snap-auto-mount
2017-11-08 12:33:57 Failed task prepare: 1
    - linode:fedora-25-64:tests/main/classic-custom-device-reg
2017-11-08 12:33:57 Failed task restore: 1
    - linode:fedora-25-64:tests/main/classic-custom-device-reg

linode:fedora-25-64:tests/main/classic-custom-device-reg error is:

error: cannot pack "/home/gopath/src/github.com/snapcore/snapd/tests/lib/snaps/classic-gadget": exit status 1

linode:ubuntu-core-16-64:tests/main/snap-auto-mount error:

+ echo 'The auto-mount magic has given us the assertion'
The auto-mount magic has given us the assertion
+ MATCH 'name: test-store'
+ snap known account-key
error: pattern not found, got:

[niemeyer]

Please hold on a bit. Let me please have a look into it.

[bboozzoo]

Closing this for now. As discussed in the meetng, we'll try to kill most of cgo code, meaning we'll drop g:{{group}} filter form account control seccomp template followed by dropping of all unnecessary group query code.