cmd/snap-update-ns: add secureMkfileAll

[zyga]

This branch is based on #4163

This patch adds a function similar to secureMkdirAll that instead of
creating a number of directories instead creates a number of directories
and a final leaf file.

The purpose of this function is to create empty files as bind mount
targets for files present in a read-only location that needs to become
writable.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[codecov-io]

Codecov Report

Merging #4169 into master will increase coverage by 0.15%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4169      +/-   ##
==========================================
+ Coverage    75.8%   75.96%   +0.15%     
==========================================
  Files         439      440       +1     
  Lines       37995    38427     +432     
==========================================
+ Hits        28803    29190     +387     
- Misses       7190     7223      +33     
- Partials     2002     2014      +12

Impacted Files	Coverage Δ
cmd/snap-update-ns/utils.go	100% <100%> (ø)	⬆️
interfaces/builtin/account_control.go	80.64% <0%> (-19.36%)	⬇️
wrappers/services.go	76.53% <0%> (-3.79%)	⬇️
cmd/snap/cmd_aliases.go	93.33% <0%> (-1.67%)	⬇️
cmd/snap-update-ns/bootstrap.go	85.36% <0%> (-1%)	⬇️
snap/info_snap_yaml.go	93.83% <0%> (-0.21%)	⬇️
interfaces/systemd/spec.go	50.98% <0%> (ø)	⬆️
interfaces/builtin/location_observe.go	48.48% <0%> (ø)	⬆️
interfaces/kmod/spec.go	85.41% <0%> (ø)	⬆️
interfaces/udev/spec.go	95.18% <0%> (ø)	⬆️
... and 49 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d6c6506...bee7986. Read the comment docs.

[bboozzoo]

This should probably bail out early if path is /foo/ with / at the end and as a side effect paths like "/" will be rejected too.

if strings.HasSuffix(name, "/") { 
    return errors.New("not a file path")
}

[zyga]

Done just below.

[jdstrand]

Overall seems fine, but a few questions in line and one change re filepath.Clean.

[jdstrand]

This has the equivalent result for sysMkdirat and is consistent with perm used elsewhere, but seems superfluous. Not a blocker but curious if you made this change for something other than consistency?

[zyga]

No, I just noticed after opening the other PR and I somehow landed the change here. Technically we want the Perm part of the mode so this is just for correctness in case of abuse.

[jdstrand]

This comment is wrong for this function. I think having a bigger comment ala secureMkdir is useful here, particularly that you are opening an existing file if it exists.

[zyga]

Wrong merge. Updated.

[jdstrand]

Not a blocker, but curious why it is O_RDWR and O_RDONLY isn't supported? I'm not saying that O_RDONLY should be supported, but secureMkfile() doesn't scream 'create a read/write file'-- should the API be renamed secureMkfileReadWrite?

[zyga]

Interesting point. Well, we don't really care (as the file is closed internally) and we check for EEXIST if the file was already there. I think all files must be writable to be made.

[jdstrand]

Again, not that I am saying you have to, but you can use O_CREAT | O_RDONLY just fine.

[zyga]

Man I only finally understand what's the point. Updated as we don't have to write to it.

I somehow instinctively assumed that O_CREAT needs O_RDWR :-)

[jdstrand]

and O_CREAT

[jdstrand]

In secureMkdir you sysClose(newFd) with a comment. Shouldn't you be doing the same here? If not, perhaps add a comment why this is ok?

[zyga]

No, because we don't return the fd here. It's defer closed already.

All the unit tests (with mocked syscalls) detect leaking descriptors.

[jdstrand]

Why aren't you returning newFd here like with the secureMkdir? This is an API inconsistency that at the very least should be documented up above.

[zyga]

Because the point of the API (at least for what I need it for) is to ensure the directory / file exists and there is no expected follow up. We don't write to those files, just use them as mount points.

[jdstrand]

We should be checking the suffix after filepath.Clean() to avoid "/foo/..". Does it make sense to at the top of this function (and secureMkdirAll):

if filepath.Clean(name) != name {
   return fmt.Errorf("...")
}

[zyga]

I think filepath.Clean chops the trailing / but I'll double-check. EDIT: Done in 0aab1e7

[zyga]

Also changed this code to reject unclean paths. I think it's good to merge now.

[jdstrand]

This comment doesn't seem to go with the test.

[zyga]

I meant that ironically but I re-worded this now

[jdstrand]

Thanks for the changes.

[jdstrand]

Did you mean to leave this commented out?

[zyga]

No, good catch. Re-enabled now.