cmd/snap-update-ns: re-factor secureMkdirAll into secureMk{Prefix,Dir}

[zyga]

The act of "securely creating a directory" can be decomposed into
"securely create the prefix" and "securely create the leaf". Naturally
the leaf can now vary and we can easily create leaf directories, files
and symlinks.

This patch sets the stage for that to happen, by splitting the main
function into a pair of functions. On the outside nothing changes but
tests needed a slight tweak to accommodate how life-cycle of file
descriptors looks like.

There are also several new tests to improve code coverage in various
edge cases.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[codecov-io]

Codecov Report

Merging #4163 into master will increase coverage by 0.07%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4163      +/-   ##
==========================================
+ Coverage   75.52%   75.59%   +0.07%     
==========================================
  Files         436      436              
  Lines       37766    37853      +87     
==========================================
+ Hits        28521    28615      +94     
+ Misses       7250     7245       -5     
+ Partials     1995     1993       -2

Impacted Files	Coverage Δ
cmd/snap-update-ns/utils.go	100% <100%> (+14.06%)	⬆️
overlord/snapstate/snapstate.go	80.44% <0%> (-0.04%)	⬇️
overlord/assertstate/assertstate.go	77.59% <0%> (ø)	⬆️
overlord/snapstate/snapmgr.go	82.11% <0%> (+0.04%)	⬆️
overlord/snapstate/handlers.go	65.77% <0%> (+0.11%)	⬆️
corecfg/proxy.go	66.66% <0%> (+8.04%)	⬆️
corecfg/corecfg.go	44.44% <0%> (+20.44%)	⬆️
interfaces/kmod/kmod.go	72.72% <0%> (+27.27%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 533f5fa...2d6647d. Read the comment docs.

[bboozzoo]

Looks reasonable. There's this one thing with name = "/" that I indicated, might be worth double checking.

[bboozzoo]

Maybe add a note that secureMkDir returns a file descriptor to newly created segment and the it's -1 on errors.

[bboozzoo]

You should probably check if len(segments) > 0. Haven't tracked through the code but I think you'll get a panic with name = "/".

[bboozzoo]

LGTM

[pedronis]

don't we need a test for for update.SecureMkDirAll("/") ? should that fail if perm or gid/uid aren't the only possible ones?

[zyga]

I don't think this needs to be this paranoid. First of all, we don't chown things we don't create and we don't create / ever :-) (we just open it, there's no code to try to create it). Lastly we are still confined and we cannot open / in writable mode.

[pedronis]

either way we still need to test what happens

[zyga]

I added a Level0 test here actually, let me see https://github.com/snapcore/snapd/pull/4163/files#diff-0c4753259207bf20c552a1115ebb8759R65

[stolowski]

+1 with two tiny nitpicks from me, and assuming Maciej's and Samuele's feedback is adressed.

[stolowski]

I'd init fd to -1 to be on the safe side.

[zyga]

Commented in the other PR that we cannot do that as it triggers ineffectual assignment error.

[stolowski]

I'd init newFd to -1 to be on the safe side.

[jdstrand]

The directory creation itself still looks ok (ie, going from '/' to '/path/to/something' via mkdirat/openat.

However I found the decomposition and resulting API a bit awkward. Can you describe why it needs to be this way?

[jdstrand]

s/segments/segment/

[jdstrand]

Rather than 'leaf directory' I think you mean 'parent'. Honestly, I found the naming here a bit confusing. secureMkDirParent() might be more clear...

I still find the code hard to read and the decomposition feels awkward where secureMkDirPrefix is passed all the segments (elements or tokens might be a better name for the variable...) and it creates everything but the last one. Why not just pass secureMkDirAll the parent and be done with it?

Put another way, why 3 functions: secureMkDirAll which creates everything, secureMkDirPrefix which creates all but the last and secureMkDir which creates an arbitrary internal element? Why isn't it sufficient to have a single function that just goes from '/' to the path you want? I guess I don't understand the point of this PR-- can you describe where you are going and why this needs to be decomposed in this way?

[pedronis]

afaict the description says that the plan is to reuse and compose *Prefix together with functions that create symlinks or files instead of dirs

[jdstrand]

That doesn't explain why the API is decomposed and implemented in the manner it is-- maybe its just me, but, while it works, I found it somewhat convoluted.

[jdstrand]

For example, having one function to create a directory, one to create a symlink and one to create a file would be clear. The symlink and the file functions would simply call the directory function with the dirname of the symlink/file to make sure the directory was created before doing the symlink or the file operation.

[jdstrand]

This comment is misleading. You only created one segment. s/each/the/

[jdstrand]

Again, this is awkward without knowing the reason why you broke it up in this way. We do:

segments := ...
...
fd, err := secureMkPrefix(segments, perm, uid, gid)
...
fd, err = secureMkDir(fd, segments, len(segments)-1, perm, uid, gid)

To me, an API something along the lines of this seems more clear:

// create the dir and any needed parent directories
createParents := true
fd, err := secureMkDir(segments, perm, uid, gid, createParents)
...
// create only the specified directory and no parents
createParents = false
fd, err := secureMkDir(segments, perm, uid, gid, createParents)

Then if you just want to create the parent directory (and its parents) for some reason, you just do:

fd, err := secureMkDir(segments[0:len(segments)-1], perm, uid, gid, true)

[jdstrand]

Unfortunately this was merged without my review (I said I would complete it by today but by the time I got to it, it was merged).