i/apparmor: add snippets with priorities #14061
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sergio-costas
force-pushed
the
UDENG-3108-create-proposal-and-patch-for-app-armor-rule-priorization
branch
from
07ec35f
to
c2a031e
Compare
sergio-costas
changed the title
sergio-costas
force-pushed
the
UDENG-3108-create-proposal-and-patch-for-app-armor-rule-priorization
branch
from
c2a031e
to
1fd1a38
Compare
zyga
reviewed
Jun 10, 2024
sergio-costas
force-pushed
the
UDENG-3108-create-proposal-and-patch-for-app-armor-rule-priorization
branch
from
8c93503
to
96ebe29
Compare
|
Rebased to take advantage of the changes at #14032 |
zyga
reviewed
Jun 11, 2024
|
I kept the SnippetKey type as a struct to ensure that a string can't be used instead in the functions (unless there's a way to forbid using a string instead of |
|
(unless you think it's a good idea to allow it, of course...) |
pedronis
added
the
Needs Samuele review
pedronis
changed the title
pedronis
reviewed
Jun 19, 2024
pedronis
reviewed
Jun 20, 2024
sergio-costas
force-pushed
the
UDENG-3108-create-proposal-and-patch-for-app-armor-rule-priorization
branch
from
0e61400
to
49d8788
Compare
|
@pedronis Rebased the code and re-implemented the priority between unity7/desktop-legacy and desktop-launch using the new mechanism. |
pedronis
approved these changes
Jul 8, 2024
zyga
approved these changes
Jul 8, 2024
AppArmor rules that forbid access to a resource have more priority than rules that allow access to those same resources. This means that if an interface restricts access to an specific resource, it won't be possible to enable access to that same resource from another, more privileged, interface. An example of this is reading the .desktop files of all the installed snaps in the system: the superprivileged interface 'desktop-launch' enables access to these files, so any snap that has a connected plug for this interface should be able to read them. Unfortunately, the 'desktop-legacy' interface explicitly denies access to these files, and since it is connected automatically if a snap uses the 'desktop' or the 'unity7' interfaces, this mean that no graphical application will be able to read the .desktop files, even if the super- privileged interface 'desktop-launch' interface is connected. To allow this specific case, a temporary patch ( canonical#13933) was created and merged, but it is clearly an ugly and not-generic solution. For this reason, this new patch was created, following the specification https://docs.google.com/document/d/1K-1MYhp1RKSW_jzuuyX7TSVCg2rYplKZFdJbZAupP4Y/edit This patch allows to add "prioritized snippets". Each one has an UID and a priority. If no prioritized snippet with the same UID has been previously added, the new prioritized snippet will be added like any other normal snippet. But if there is already an added snippet with the same UID, then the priority of both the old and the new snippets are compared. If the new priority is lower than the old one, the new snippet is ignored; if the new priority is bigger than the old one, the new snippet fully replaces the old one. Finally, if both priorities are the same, the new snippet will be appended to the old snippet. This generic mechanism allows to give an interface priority over others if needed, like in the previous case.
Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]>
Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]>
Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]>
Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]>
This creates a centralized key registry inside apparmor module, so keys can be registered using top variables, and any duplicated key will produce a panic when snapd is launched, thus just panicking in any test too.
A previous PR was merged with a Quick&Dirty(tm) solution to the priority problem between unity7 and desktop-legacy interfaces against desktop-launch interface. Now that it has been merged, that code must be updated to the new mechanism implemented in this PR. This is exactly what this commit does.
sergio-costas
force-pushed
the
UDENG-3108-create-proposal-and-patch-for-app-armor-rule-priorization
branch
from
b321132
to
e51e95b
Compare
|
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #14061 +/- ##
==========================================
+ Coverage 78.73% 78.75% +0.02%
==========================================
Files 1055 1061 +6
Lines 138275 139262 +987
==========================================
+ Hits 108866 109671 +805
- Misses 22588 22739 +151
- Partials 6821 6852 +31
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AppArmor rules that forbid access to a resource have more priority than rules that allow access to those same resources. This means that if an interface restricts access to an specific resource, it won't be possible to enable access to that same resource from another, more privileged, interface.
An example of this is reading the .desktop files of all the installed snaps in the system: the superprivileged interface 'desktop-launch' enables access to these files, so any snap that has a connected plug for this interface should be able to read them. Unfortunately, the 'desktop-legacy' interface explicitly denies access to these files, and since it is connected automatically if a snap uses the 'desktop' or the 'unity7' interfaces, this mean that no graphical application will be able to read the .desktop files, even if the super- privileged interface 'desktop-launch' interface is connected.
To allow this specific case, a temporary patch (
#13933) was created and merged, but it is clearly an ugly and not-generic solution. For this reason, this new patch was created, following the specification https://docs.google.com/document/d/1K-1MYhp1RKSW_jzuuyX7TSVCg2rYplKZFdJbZAupP4Y/edit
This patch allows to add "prioritized snippets". Each one has an UID and a priority. If no prioritized snippet with the same UID has been previously added, the new prioritized snippet will be added like any other normal snippet. But if there is already an added snippet with the same UID, then the priority of both the old and the new snippets are compared. If the new priority is lower than the old one, the new snippet is ignored; if the new priority is bigger than the old one, the new snippet fully replaces the old one. Finally, if both priorities are the same, the new snippet will be appended to the old snippet.
This generic mechanism allows to give an interface priority over others if needed, like in the previous case.
Thanks for helping us make a better snapd!
Have you signed the license agreement and read the contribution guide?