wrappers: allow sockets under $XDG_RUNTIME_DIR

[kubiko]

/run/user/0/$SNAP_NAME/ is permited path for sockets to be created, this is at the moment blocked
when socket is defined as part of daemon configuration

Signed-off-by: Ondrej Kubik ondrej.kubik@canonical.com

Thanks for helping us make a better snapd!
Have you signed the license agreement and read the contribution guide?

[zyga]

This looks okay but I don't remember the plan for /run/user/NNN vs /run/user/NNN/$SNAP_INSTANCE_NAME.

CC @jdstrand and @chipaca for comments.

[bboozzoo]

If we're going this way, the message needs to be updated to include /run/user/0/...

[jdstrand]

I agree with @bboozzoo on this point.

[kubiko]

I did updated message, though with XDG_RUNTIME_DIR as @jdstrand proposed

[bboozzoo]

I think this should use $SNAP_INSTANCE_NAME

[kubiko]

I change it to XDG_RUNTIME_DIR, so there is no more need or SNAP_INSTANCE_NAME now

[kubiko]

Updated to use $SNAP_INSTANCE_NAME

[jdstrand]

Clearly there is a bug since we allow /run/user/[0-9]*/snap.@{SNAP_INSTANCE_NAME}/** but it feels wrong to make the user have to specify /run/user/*0*/... since in the future we might change that and this is exactly what XDG_RUNTIME_DIR is for. Eg:

$ sudo hello-world.env|grep XDG
XDG_RUNTIME_DIR=/run/user/0/snap.hello-world

Perhaps instead use || strings.HasPrefix(path, "$XDG_RUNTIME_DIR/")? I'm not sure if you'll have to expand that in the systemd unit or not, but this seems much more user friendly and in line with the other two variables.

[jdstrand]

I agree with @bboozzoo on this point.

[zyga]

Please adjust tests to update the validation routine.

[kubiko]

@jdstrand @zyga @bboozzoo implementation is now updated to use XDG_RUNTIME_DIR instead of hardcoded /run/path as @jdstrand proposed, this seems way more reliable and also easier to use.
I have also updated tests around to test this scenario. Thanks for good feedback :)

[jdstrand]

Approving, but please consider adding the suggested comment (see inline).

[jdstrand]

I was slightly uncomfortable with this change since sys.Geteuid() is going to be whatever snapd is running as, which works for both the testsuite and typical "daemons run as root" case but would not work whenever we introduce User= and Group= in the generated systemd units. In that case, we would want to adjust sys.Geteuid() to be a lookup of the specified user/group, which is ok.

As a future reminder, can you add the following comment:

// TODO: when we support User/Group in the generated systemd unit,
// adjust this accordingly

[kubiko]

@jdstrand I was thinking exactly same thing. But I was not sure if we have anything ready for this usecase. As I assume socket options will then need to expand to SNAP_USER_COMMON and SNAP_USER_DATA. But then we need way to identify what is user service should run under. And actually forbid use of SNAP_DATA/SNAP_COMMON if not running as root.
And indeed I used sys.Geteuid() trick to get right value in test and in actual run time
I will add comment, so make sure we keep this updated when introducing serviced for users.
I will add comment to make sure we capture this

[mvo5]

I think I would prefer not to use sys.Geteuid() here. Its slightly misleading, when looking at this code it seems like the value in xdg-runtime-dir depends on the daemon uid. But in reality it depends on the setting of the snap.yaml for the given service. By default the service will run as root and once we have a way to express users and groups it will run as a user or group. So I think it would be slightly better to represent that here (especially since initially this will always be uid=0). Something like:

--- a/wrappers/services.go
+++ b/wrappers/services.go
@@ -603,7 +603,9 @@ func renderListenStream(socket *snap.SocketInfo) string {
        listenStream := strings.Replace(socket.ListenStream, "$SNAP_DATA", snap.DataDir(), -1)
        // TODO: when we support User/Group in the generated systemd unit,
        // adjust this accordingly
-       listenStream = strings.Replace(listenStream, "$XDG_RUNTIME_DIR", snap.UserXdgRuntimeDir(sys.Geteuid()), -1)
+       serviceUserUid := sys.UserID(0)
+       runtimeDir := snap.UserXdgRuntimeDir(serviceUserUid)
+       listenStream = strings.Replace(listenStream, "$XDG_RUNTIME_DIR", runtimeDir, -1)
        return strings.Replace(listenStream, "$SNAP_COMMON", snap.CommonDataDir(), -1)
 }
 
diff --git a/wrappers/services_test.go b/wrappers/services_test.go
index 87de9e55c5..29700bc577 100644
--- a/wrappers/services_test.go
+++ b/wrappers/services_test.go
@@ -25,7 +25,6 @@ import (
        "path/filepath"
        "regexp"
        "sort"
-       "strconv"
        "strings"
        "time"
 
@@ -33,7 +32,6 @@ import (
 
        "github.com/snapcore/snapd/dirs"
        "github.com/snapcore/snapd/osutil"
-       "github.com/snapcore/snapd/osutil/sys"
        "github.com/snapcore/snapd/progress"
        "github.com/snapcore/snapd/snap"
        "github.com/snapcore/snapd/snap/snaptest"
@@ -460,7 +458,7 @@ Service=snap.hello-snap.svc1.service
 FileDescriptorName=sock3
 ListenStream=%s
 
-`, filepath.Join(s.tempdir, "/run/user", strconv.FormatUint(uint64(sys.Geteuid()), 10), "snap.hello-snap/sock3.socket"))
+`, filepath.Join(s.tempdir, "/run/user/0/snap.hello-snap/sock3.socket"))
        c.Check(sock3File, testutil.FileContains, expected)
 }

[kubiko]

Please adjust tests to update the validation routine.

@zyga can you please review updated tests as it should be fixed now

[mvo5]

Thanks, this looks good! +0.9 with one small suggestion, otherwise good to go.

[mvo5]

I think I would prefer not to use sys.Geteuid() here. Its slightly misleading, when looking at this code it seems like the value in xdg-runtime-dir depends on the daemon uid. But in reality it depends on the setting of the snap.yaml for the given service. By default the service will run as root and once we have a way to express users and groups it will run as a user or group. So I think it would be slightly better to represent that here (especially since initially this will always be uid=0). Something like:

--- a/wrappers/services.go
+++ b/wrappers/services.go
@@ -603,7 +603,9 @@ func renderListenStream(socket *snap.SocketInfo) string {
        listenStream := strings.Replace(socket.ListenStream, "$SNAP_DATA", snap.DataDir(), -1)
        // TODO: when we support User/Group in the generated systemd unit,
        // adjust this accordingly
-       listenStream = strings.Replace(listenStream, "$XDG_RUNTIME_DIR", snap.UserXdgRuntimeDir(sys.Geteuid()), -1)
+       serviceUserUid := sys.UserID(0)
+       runtimeDir := snap.UserXdgRuntimeDir(serviceUserUid)
+       listenStream = strings.Replace(listenStream, "$XDG_RUNTIME_DIR", runtimeDir, -1)
        return strings.Replace(listenStream, "$SNAP_COMMON", snap.CommonDataDir(), -1)
 }
 
diff --git a/wrappers/services_test.go b/wrappers/services_test.go
index 87de9e55c5..29700bc577 100644
--- a/wrappers/services_test.go
+++ b/wrappers/services_test.go
@@ -25,7 +25,6 @@ import (
        "path/filepath"
        "regexp"
        "sort"
-       "strconv"
        "strings"
        "time"
 
@@ -33,7 +32,6 @@ import (
 
        "github.com/snapcore/snapd/dirs"
        "github.com/snapcore/snapd/osutil"
-       "github.com/snapcore/snapd/osutil/sys"
        "github.com/snapcore/snapd/progress"
        "github.com/snapcore/snapd/snap"
        "github.com/snapcore/snapd/snap/snaptest"
@@ -460,7 +458,7 @@ Service=snap.hello-snap.svc1.service
 FileDescriptorName=sock3
 ListenStream=%s
 
-`, filepath.Join(s.tempdir, "/run/user", strconv.FormatUint(uint64(sys.Geteuid()), 10), "snap.hello-snap/sock3.socket"))
+`, filepath.Join(s.tempdir, "/run/user/0/snap.hello-snap/sock3.socket"))
        c.Check(sock3File, testutil.FileContains, expected)
 }

[mvo5]

This is similar to above (and the diff will change this part too): when reading this its slightly misleading as it may make the reader think the value is dependent on the runtime uid. But its strictly dependent on the user configured in the service yaml. So I would prefer here to not use sys.Geteuid() as well.

[kubiko]

@mvo5 I updated code per proposal. Initially I was trying to avoid hardcoding uid but you are right that it actually made it worse and code was giving wrong impression.
And true, this will anyway need to be revisited when we land support for user services

[zyga]

I re-read the patch and the discussion, looks good to me.

[pedronis]

seems there are some actual SE Linux failures now, @bboozzoo maybe can help

[kubiko]

seems there are some actual SE Linux failures now, @bboozzoo maybe can help

@pedronis yep @bboozzoo is already looking into this, he confirmed there is need to update SE profile

[bboozzoo]

----
type=AVC msg=audit(06/20/19 12:48:16.638:1057) : avc:  denied  { write } for  pid=12685 comm=snapd name=/ dev="tmpfs" ino=21744 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(06/20/19 12:48:16.639:1058) : avc:  denied  { remove_name } for  pid=12685 comm=snapd name=snap.socket-activation dev="tmpfs" ino=146684 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(06/20/19 12:48:16.639:1059) : avc:  denied  { rmdir } for  pid=12685 comm=snapd name=snap.socket-activation dev="tmpfs" ino=146684 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(06/20/19 12:48:16.639:1060) : avc:  denied  { unlink } for  pid=12685 comm=snapd name=socket-xdg dev="tmpfs" ino=146685 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1

Yes, this is caused by snapd trying to remove a socket file under /run/. I'll look into adjusting the policy and will push a patch to this branch.

[bboozzoo]

Pushed a patch that extends the policy accordingly.