/snapd

interfaces,overlord,testutil: implement support for interface-based security #733

Closed
wants to merge 11 commits into
from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @pedronis
@zyga
Contributor

zyga commented Mar 23, 2016

This branch adds 2nd iteration of "security helpers" that know enough to enable certain type of security support (apparmor, seccomp, udev, dbus) for a given snap. Unlinke the first version they have somewhat different layout a public API (through interfaces.SecurityConfigurator) and are meant to be used from the overlord directly.

The branch has extensive tests for apparmor, basic tests for other backends and no tests for the new interface manager task (I'm mostly looking for feedback at that level and I probably will only land that after the snap manager populates some basic facts about snaps).

zyga added some commits Mar 23, 2016

@zyga
testutil: add MockCmd.ForgetCalls 
Ths patch adds a method that is useful for forgetting calls made so far.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
6d106fa
@zyga
interfaces: add SecurityTag and SecurityGlob functions 
This patch adds two support functions that compute the "security tag"
for a single application and a glob for all security tags in a given
snap.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
2c90c13
@zyga
testutil: don't panic in MockCmd.Calls() if no calls were made 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 3 successful checks
@snappy-m-o
Integration tests — 65 tests run, 0 skipped, 1 failed.
Details
@snappy-m-o
autopkgtest — Success No test results found.
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.05%) to 77.282%
Details
579f817
@zyga
interfaces/udev: add udev configurator 
This patch adds the udev configurator. Configurators encapsulate the
knowledge on how to configure a given security system. Here, each app
gets a dedicated udev rule file with rules that apply to that application.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
ac4f9da
@zyga
interfaces/dbus: add dbus configurator 
This patch adds the dbus configurator. Configurators encapsulate the
knowledge on how to configure a given security system. Here, each app
with at least one dbus snippet gets a dedicated dbus configuration file
with rules that apply to that application.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
05f6c3d
@zyga
interfaces/apparmor: add apparmor configurator 
This patch adds the apparmor configurator. Configurators encapsulate the
knowledge on how to configure a given security system. Here, each app
with gets a dedicated apparmor configuration file. Additional snippets
are injected into the profile by interface connection.

Developer mode is supported by switching apparmor into so-called complain
mode. There violations are logged, but don't kill the offeding process.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
2a401c9
@zyga
interfaces/seccomp: add seccomp configurator 
This patch adds the udev configurator. Configurators encapsulate the
knowledge on how to configure a given security system. Here, each app
gets a dedicated snappy-specific seccomp profile comprised of a stock
header and all the security snippets concatenated. In developer mode
only the string "@unrestricted" is placed into the profile.

The seccomp package also exposes ProfileFile() function that should be
used when calling ubuntu-core-launcher.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
21d6745
@zyga
overlord/interfaces: first stab at ensure security 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

2 failing and 2 successful checks
@snappy-m-o
Integration tests — No test results found.
Details
continuous-integration/travis-ci/pr — The Travis CI build failed
Details
@snappy-m-o
autopkgtest — Success No test results found.
Details
coverage/coveralls — Coverage decreased (-0.6%) to 76.686%
Details
2171040
@zyga
interfaces: add SecurityConfigurator interface 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
69672d4
@zyga
interfaces: remove older security support code 
This patch removes the earlier seccomp/apparmor support code.
This code is entirely replaced by the new set of packages and the
security configurator packages.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
d4bad4f
@zyga
interfaces: add SecurityBackend interface 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
647c84c
interfaces/apparmor/cfg.go
+ }
+ // Ensure that files are correctly on disk
+ changed, removed, err := osutil.EnsureDirState(dir, glob, content)
+ // Record changes so that we can do clean-up in Finalize. This has to
@pedronis

pedronis Mar 24, 2016

Contributor

All ConfigureSnapSecurity seem to start the same? first impression is that the abstraction is not the best if it ends up with that much repetition? what's the relation between Configurators and Security Systems?

interfaces/udev/cfg.go
+ return nil
+}
+
+// Finalize does nothing at all.
@pedronis

pedronis Mar 24, 2016

Contributor

doesn't seem to do nothing here?

@zyga

zyga Mar 24, 2016

Contributor

Ah, copy paste error. I'll correct this.

@zyga
Contributor

zyga commented Mar 24, 2016

Closing for the split

@zyga zyga closed this Mar 24, 2016

@zyga zyga deleted the zyga:security-cfs branch Dec 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment