overlord/ifacestate: setup security backends phased by backends first #6128
Conversation
This patch adds a helper method to obtain a given security backend by name. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Fixes: https://bugs.launchpad.net/tillamook/+bug/1802581 Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
To fix LP: #1802581 a new helper setupPhasedSecurity() was added. This commit simplifies this helper - we already order the backends and the systemd backend is already first so we can skip the extra first step and instead setup security for all affected snaps at the same time (ordered by backends).
mvo5
force-pushed
the
fix/lp-1802581-2
branch
from
dac2c8b
to
9588c9f
Compare
| # shellcheck source=tests/lib/systemd.sh | ||
| . "$TESTSLIB/systemd.sh" | ||
| wait_for_service mock-gpio | ||
| mount --bind "$GPIO_MOCK_DIR" /sys/class/gpio |
There was a problem hiding this comment.
This is the monkey patching of the Linux kernel :D
| @@ -0,0 +1,38 @@ | |||
| summary: Regression test for 1802581 | |||
There was a problem hiding this comment.
Could you please cherry pick the documentation of the issue from the snap attached to the bug report?
There was a problem hiding this comment.
Yep, the bugreport seems to be a private one.
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| os.chdir(sys.argv[1]) |
There was a problem hiding this comment.
Could you please move this to main. Doing it like this makes sel, efd and ufd globals that can silently be picked up from typos elsewhere in the code.
|
|
||
| description: | | ||
| When using the snapd GPIO interface the slot side needs to export the GPIO | ||
| pint so that a file appears under /sys/class/gpio/gpioNNN. That file is a |
| @@ -0,0 +1,38 @@ | |||
| summary: Regression test for 1802581 | |||
There was a problem hiding this comment.
Yep, the bugreport seems to be a private one.
There was a problem hiding this comment.
I couldn't find the associated bug report (seems to be a private one), so this may be a silly question, but could we recommend using interface hooks instead of evaluating a symlink (readlink?)? Basically, the prepare-slot-* hook could pass whatever needs to be known to the plug side. Or am I missing something?
|
We could perhaps use something like interface hooks but as it stands now the GPIO interface doesn’t work if you disable and enable a snap using it. We need to fix that aspect and this is why the shuffling happened. We could change the interface to use something like hooks internally but that is much more work than necessary at this time. |
| st := task.State() | ||
|
|
||
| // Setup all affected snaps, start with the most important security | ||
| // backend and run it for all snaps. See LP: 1802581 |
There was a problem hiding this comment.
Might be worth clarifying the comment and say the ordering is established at init time (and maintained in the repo).
There was a problem hiding this comment.
indeed, this comment probably needs some expanding, important doesn't convey the fact that some backend behavior depends on the work of some other backend
| // backend and run it for all snaps. See LP: 1802581 | ||
| for _, backend := range m.repo.Backends() { | ||
| for i, snapInfo := range snaps { | ||
| st.Unlock() |
There was a problem hiding this comment.
Can we just st.Unlock() and defer st.Lock() before the loop (I know this is how the old setupSnapSecurity does that, just curious.
There was a problem hiding this comment.
the reason is done like that is that the systemd backend can take a long time
| debug: | | ||
| journalctl -u mock-gpio.service | ||
|
|
||
| execute: | |
| } | ||
| } | ||
| sort.Strings(affectedNames) | ||
| affectedNames = append([]string{snapName}, affectedNames...) |
There was a problem hiding this comment.
we could do this before the for loop instead of after
There was a problem hiding this comment.
not because Sort but then maybe the comment needs moving
| st := task.State() | ||
|
|
||
| // Setup all affected snaps, start with the most important security | ||
| // backend and run it for all snaps. See LP: 1802581 |
There was a problem hiding this comment.
indeed, this comment probably needs some expanding, important doesn't convey the fact that some backend behavior depends on the work of some other backend
| for _, backend := range m.repo.Backends() { | ||
| for i, snapInfo := range snaps { | ||
| st.Unlock() | ||
| err := backend.Setup(snapInfo, opts[i], m.repo) |
There was a problem hiding this comment.
Interesting observation. I think we need to sit down and design the backend setup process to optimise the apparmor wasted cycles we spend. In my mind I was thinking about backend.StartTransaction() ... and CommitTransaction() like API where we don't commit unless something needs to observe the intermediate state of some interfaces being connected and setup and some not yet when we know there are more setup calls just around the corner.
| // backend and run it for all snaps. See LP: 1802581 | ||
| for _, backend := range m.repo.Backends() { | ||
| for i, snapInfo := range snaps { | ||
| st.Unlock() |
There was a problem hiding this comment.
the reason is done like that is that the systemd backend can take a long time
|
|
||
| // Setup all affected snaps, start with the most important security | ||
| // backend and run it for all snaps. See LP: 1802581 | ||
| for _, backend := range m.repo.Backends() { |
There was a problem hiding this comment.
can we add some kind of unit tests that detects somehow the change of order?
There was a problem hiding this comment.
Yes, I will work on that now.
This is a tweak of #6127 which will setup all security systems based on backend first. This needs some more tests but I'm keen to see spread tests working for this one.
My feeling is that we should rework this a bit more and setup all slot security first and then all plug security (which we don't do right now). But before doing that this may unblock the problematic system(s).