Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/snap-confine: discard stale mount namespaces #4324

Closed
wants to merge 1 commit into from
Closed

cmd/snap-confine: discard stale mount namespaces #4324

wants to merge 1 commit into from

Conversation

zyga
Copy link
Collaborator

@zyga zyga commented Nov 29, 2017

This patch enables snap-confine to discard stale mount namespaces. The
code already contained to logic to detect a stale namespace. The patch
introduces an additional check. Once we know of a stale namespace we
check if it would be safe to discard it by looking at the processes that
inhabit it. This can be done reliably by enumerating the freezer group.

If we find any process we consider it unsafe for the mount namespace to
be discarded but we log a diagnostic message that system administrators
can see (it can be an important security fact that a particular snap is
using an older revision of the base snap).

The code is made a little bit more generic so that we can also filter by
user identifier. This is likely to be used by the upcoming per-user
mount namespace feature.

The apparmor profile is extended slightly to be able to read the
cgroup.procs file and to unmount existing namespaces. That last thing is
a bit of a magic / broken rule as apparmor has some issues that we don't
fully understand whenever setns is called.

< jjohansen> uh, setns is a known problem, double setns doesn't
change that
< jjohansen> hey zyga-ubuntu, setns won't necessarily break
everything dependent on several things. Partly to due with how mounts
are shared or whether they are cloned ..

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

zyga
zyga commented Nov 29, 2017
View reviewed changes
Copy link
Collaborator Author

@zyga zyga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a bit of self-review for explaining one aspect.

cmd/snap-confine/ns-support.c
}

bool sc_should_populate_ns_group(struct sc_ns_group *group)
bool sc_should_populate_ns_group(struct sc_ns_group * group)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oddly this is coming out of my machine's make fmt. If indent changed rules again I will call for a flag day and propose that we move to clang-format that at least has a very readable and sane output without 80 column constraint.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/me happens to like the 80 column constraint. ;)

@zyga zyga requested a review from jdstrand November 29, 2017 21:44
jdstrand
jdstrand suggested changes Nov 29, 2017
View reviewed changes
Copy link

@jdstrand jdstrand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had a chat on IRC about this and we decided this needs a bit of reorganizing (but not much) which would put the PR inline with the kernel design/implementation for setns and reduce what snap-confine is required to do.

@zyga
Copy link
Collaborator Author

zyga commented Nov 30, 2017

FYI

-				if (umount2(mnt_fname, MNT_DETACH|UMOUNT_NOFOLLOW) < 0) {
+				if (umount2
+				    (mnt_fname,
+				     MNT_DETACH | UMOUNT_NOFOLLOW) < 0) {

This is indent being inconsistent with itself. :/

@zyga
Copy link
Collaborator Author

zyga commented Nov 30, 2017

I've implemented the version that calls setns only once now. I'll close this PR and open a 2nd one when tests are happy.

@zyga
cmd/snap-confine: discard stale mount namespaces
7824fb1 
This patch enables snap-confine to discard stale mount namespaces. The
code already contained to logic to detect a stale namespace. The patch
introduces an additional check. Once we know of a stale namespace we
check if it would be safe to discard it by looking at the processes that
inhabit it. This can be done reliably by enumerating the freezer group.

If we find any process we consider it unsafe for the mount namespace to
be discarded but we log a diagnostic message that system administrators
can see (it can be an important security fact that a particular snap is
using an older revision of the base snap).

The code is made a little bit more generic so that we can also filter by
user identifier. This is likely to be used by the upcoming per-user
mount namespace feature.

The apparmor profile is extended slightly to be able to read the
cgroup.procs file and to unmount existing namespaces. That last thing is
a bit of a magic / broken rule as apparmor has some issues that we don't
fully understand whenever setns is called.

< jjohansen> uh, setns is a known problem, double setns doesn't
change that
< jjohansen> hey zyga-ubuntu, setns won't necessarily break
everything dependent on several things. Partly to due with how mounts
are shared or whether they are cloned ..

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
@zyga zyga force-pushed the fix/discard-stale-base-snap branch from b9c547d to 7824fb1 Compare November 30, 2017 16:46
@zyga
Copy link
Collaborator Author

zyga commented Dec 4, 2017

I'm closing this PR in favour of the v2 approach.

@zyga zyga closed this Dec 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdstrand jdstrand jdstrand requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @jdstrand