New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/snap-confine: discard stale mount namespaces #4324
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a bit of self-review for explaining one aspect.
} | ||
|
||
bool sc_should_populate_ns_group(struct sc_ns_group *group) | ||
bool sc_should_populate_ns_group(struct sc_ns_group * group) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oddly this is coming out of my machine's make fmt
. If indent changed rules again I will call for a flag day and propose that we move to clang-format
that at least has a very readable and sane output without 80 column constraint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/me happens to like the 80 column constraint. ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We had a chat on IRC about this and we decided this needs a bit of reorganizing (but not much) which would put the PR inline with the kernel design/implementation for setns and reduce what snap-confine is required to do.
FYI
This is indent being inconsistent with itself. :/ |
I've implemented the version that calls setns only once now. I'll close this PR and open a 2nd one when tests are happy. |
This patch enables snap-confine to discard stale mount namespaces. The code already contained to logic to detect a stale namespace. The patch introduces an additional check. Once we know of a stale namespace we check if it would be safe to discard it by looking at the processes that inhabit it. This can be done reliably by enumerating the freezer group. If we find any process we consider it unsafe for the mount namespace to be discarded but we log a diagnostic message that system administrators can see (it can be an important security fact that a particular snap is using an older revision of the base snap). The code is made a little bit more generic so that we can also filter by user identifier. This is likely to be used by the upcoming per-user mount namespace feature. The apparmor profile is extended slightly to be able to read the cgroup.procs file and to unmount existing namespaces. That last thing is a bit of a magic / broken rule as apparmor has some issues that we don't fully understand whenever setns is called. < jjohansen> uh, setns is a known problem, double setns doesn't change that < jjohansen> hey zyga-ubuntu, setns won't necessarily break everything dependent on several things. Partly to due with how mounts are shared or whether they are cloned .. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
b9c547d
to
7824fb1
Compare
I'm closing this PR in favour of the v2 approach. |
This patch enables snap-confine to discard stale mount namespaces. The
code already contained to logic to detect a stale namespace. The patch
introduces an additional check. Once we know of a stale namespace we
check if it would be safe to discard it by looking at the processes that
inhabit it. This can be done reliably by enumerating the freezer group.
If we find any process we consider it unsafe for the mount namespace to
be discarded but we log a diagnostic message that system administrators
can see (it can be an important security fact that a particular snap is
using an older revision of the base snap).
The code is made a little bit more generic so that we can also filter by
user identifier. This is likely to be used by the upcoming per-user
mount namespace feature.
The apparmor profile is extended slightly to be able to read the
cgroup.procs file and to unmount existing namespaces. That last thing is
a bit of a magic / broken rule as apparmor has some issues that we don't
fully understand whenever setns is called.
< jjohansen> uh, setns is a known problem, double setns doesn't
change that
< jjohansen> hey zyga-ubuntu, setns won't necessarily break
everything dependent on several things. Partly to due with how mounts
are shared or whether they are cloned ..
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com