Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces/builtin: add bluez interface #802
Conversation
|
This patch comes out of a discussion with @zyga about adding dbus services to snappy. |
zyga
reviewed
Apr 6, 2016
| @@ -0,0 +1,64 @@ | ||
| +package builtin |
|
whitelist this please |
|
@jdstrand Can you have a look if this looks sane or not? |
|
Travis complained about code formatting: https://travis-ci.org/ubuntu-core/snappy/jobs/121141259#L362 Please run |
ssweeny
added some commits
Apr 6, 2016
jdstrand
reviewed
Apr 6, 2016
| + </policy> | ||
| + <policy at_console="true"> | ||
| + <allow send_destination="org.bluez"/> | ||
| + </policy> |
jdstrand
Apr 6, 2016
Contributor
I'm not sure this is correct. Snappy does mediate connections between snaps but I think there is still value in differentiating between root and non-root users. I think the proper approach for now until we know more how this will work would be to require sudo for connecting to bluez.
|
I left a comment regarding the bus policy. In addition to that, this interface is going to need the following apparmor rules for the slot side (ie, what the server needs, taken from bluez.apparmor from the current 16.04 bluez5 snap):
and the following apparmor rules for the plugs side (ie, what the client needs, taken from framework-policy/apparmor/policygroups/client from the current 16.04 bluez5 snap):
In addition to that, this interface is going to need the following seccomp rules for the slot side (ie, what the server needs, taken from bluez.seccomp from the current 16.04 bluez5 snap):
and the following apparmor rules for the plugs side (ie, what the client needs, taken from framework-policy/seccomp/policygroups/client from the current 16.04 bluez5 snap):
@zyga : the slots/plugs seccomp rules are going to be common for all dbus interfaces. Perhaps these can be added automatically or at the very least have a helper function that interfaces can call out to so we can maintain the dbus seccomp list in one place for all dbus interfaces? |
|
I fixed the formatting. |
|
It looks like obex was left out of the bluez bus policy. If that was intentional, please don't include the obex apparmor rules. |
|
@jdstrand good idea on having common bits for dbus. Right now I don't quite know how it would look like but I was thinking about letting the backends offer helpers for high-level operations so that we don't have to patch similar snippets all around. |
zyga
added
the
Reviewed
label
Apr 6, 2016
|
@ssweeny please iterate on this and remove the reviewed label once you think this is ready for another review. |
|
@jdstrand that means the apparmor/seccomp files can be shipped anymore with the snap itself? I thought we only had to add the dbus policy file within the interface definition? |
|
@morphis - that is right. Frameworks are gone and so is old-security/security-policy. All of that is replaced with interfaces. There are plenty of examples in builtins/apparmor and builtins/seccomp that you can use. |
|
@jdstrand I see. |
|
@jdstrand two questions:
|
morphis
reviewed
Apr 6, 2016
| + switch securitySystem { | ||
| + case interfaces.SecurityDBus: | ||
| + return []byte(` | ||
| +<policy user="root"> |
morphis
Apr 6, 2016
Contributor
Eventually we should put this into a static variable but can't say if that fits the Go coding guidelines for snappy. Saw that in the other interface definitions. Would make the switch statement less complex from a reader perspective.
|
@ssweeny I think we can add the obex policy bits to the bluez interface for now. Lets split that later if needed. |
|
Looks like the Interfaces interface changed |
|
@ssweeny yes, sorry, I should have pinged you. Have a look at the interface (go interface). The changes are trivial:
Please wait for #826 to land though |
|
On the up side, Interfaces are about to go live so you should see your code working in practice. Track #827 |
|
@zyga @jdstrand This doesn't look right. How come we are allowing the snap to access bluez while the plug is disconnected!? The slot side is okay, as that's going to be the service, but the application itself should not be granted permissions unless the plug is connected. Do we have this issue on any other interface? |
niemeyer
removed
the
Reviewed
label
Apr 7, 2016
|
@niemeyer I wasn't sure about that. So the plug side snippets should be Connected rather than Permanent? |
|
@niemeyer you are right. We'll carefully review this before merging it |
|
@ssweeny We still need to add some unit tests around this and follow the formatting rules to get this ready for a final review. |
zyga
reviewed
Apr 8, 2016
| + interface=org.freedesktop.DBus.**, | ||
| +`) | ||
| + | ||
| +var bluezPermanentPlugAppArmor = []byte(` |
zyga
Apr 8, 2016
Contributor
As @niemeyer mentioned, using permanent plug snippets feels wrong.
This should be per-connection. Once a 3rd party snap and bluez are connected; only then; can that snap talk to bluez.
zyga
reviewed
Apr 8, 2016
| +socket | ||
| +`) | ||
| + | ||
| +var bluezPermanentPlugSecComp = []byte(` |
zyga
reviewed
Apr 8, 2016
| +socket | ||
| +`) | ||
| + | ||
| +var bluezPermanentPlugDBus = []byte(` |
zyga
reviewed
Apr 8, 2016
| +} | ||
| + | ||
| +func (iface *BluezInterface) SanitizeSlot(slot *interfaces.Slot) error { | ||
| + return nil |
zyga
Apr 8, 2016
Contributor
Once we have snap IDs I'd like this interface to be only available to the bluez snap. Perhaps that will be done with assertions, perhaps here. Not sure yet.
|
@zyga thinking about it I do agree that it feels better to do those per-connection. Thanks for clarifying! |
ssweeny
added some commits
Apr 8, 2016
|
@zyga apart from the coverage issue how are we looking? |
|
I'll check this out after the release tonight. |
|
add to whitelist |
niemeyer
changed the title from
Add bluez interface
to
interfaces/builtin: add bluez interface
Apr 13, 2016
|
retest this please |
|
+1 LGTM and see how it works in practice. |
|
@niemeyer It's good from my end. |
|
@ssweeny Can you test the image |
|
(by tomorrow I mean Thursday, sorry) |
niemeyer
merged commit 9025e4b
into
snapcore:master
Apr 14, 2016
jdstrand
reviewed
Apr 14, 2016
| +# Allow all access to bluez service | ||
| +dbus (receive, send) | ||
| + bus=system | ||
| + peer=(label=bluez5_bluez_*), |
jdstrand
Apr 14, 2016
Contributor
I just noticed this label is not going to match correctly for two reasons:
- bluez5_bluez_* is not how the profile name is formed any more, it should be snap.bluez5.bluez.*
- this label should match the label of the slot side. Ie, perhaps there is bluez5 bluez-foo and bluez-bar in the store that all offer the bluez slot to clients. snappy should dynamically create this plug side snippet to match the label of the slot side that the client is connecting to. Ie, if 'bluez-client-snap' is connected to 'bluez-foo', then the interface code should create a rule like this on the plugs side: dbus (receive, send) bus=system peer=(label=snap.bluez-foo.service.*)
Interestingly, the slot side could have reciprocal rules to only allow the connected clients as well.
|
I think it was fine to commit this as is and then address my last comment in a future commit. |
ssweeny commentedApr 6, 2016
First pass at adding the interface for bluez to make itself available
from a snap.