* asserts,i/policy: add on-core-desktop constraint
This is required for interface behaviours that are different on Core Desktop.
* interfaces/builtin/home: autoconnect home on core desktop
Core desktop is much like a classic system in that the user would reasonably
expect to be able to access this home directory.
* i/builtin: add registry interface
Add a registry interface that snaps can use to access a particular
registry view.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
* registry: constrain registry name
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
---------
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Allow plugs to specify the $PLUG_PUBLISHER_ID in attribute constraints
such that interfaces can restrict auto-connection to when certain
attributes match their publisher IDs.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
Now that we have app sets in the interfaces repo, keep a pointer to them in ConnectedPlug/Slot types. Use this to build label expressions in the interfaces.
* many: add a pointer to a SnapAppSet into Connected(Plug|Slot) to that interfaces can build a complete label expression, including component hooks
* interfaces: update doc comments on ConnectedPlug/Slot.AppSet
* interfaces: remove TODO that has been addressed
* interfaces: use app set pointer for instance name check
* snap: add Runnable type that represents the runnable parts of a snap
* interfaces, o/ifacestate: use snap.Runnable rather than interfaces.Runnable
* interfaces, i/builtin, o/ifacestate: panic on failed invariant check in NewConnectedPlug/Slot
* interfaces: add methods to app set for getting runnables that can connect to plug/slot
* interfaces: build label expressions using runnables
* interfaces: doc comment for SlotRunnables
* interfaces: implement Slot/PlugRunnables with shared helper
* interfaces: log and skip security tags that do not match expected pattern
* snap, interfaces: move runnable constructors to methods on AppInfo and HookInfo
* interfaces: refactor to allow labelExpr to operate directly on a ConnectedPlug/Slot
* snap: move around Runnable methods
originally desktop was simply allow auto-connect, making the change to not
auto-connect on UC is not that relevant because ultimately there will need to
be a snap providing it and that snap will set policy if allowed from its
snap-declaration
instead let auto-connection only happen with an implicit slot
* Add new ros opt interface
* Ros interface: prepare for testing
* adapt test from system-files to ros-opt-data
* complete list of ros files and explanation
* Fix unit tests and formatting
* No need to restore-dir if it's a sub folder of a mocked dir already
* Add spread test for ros-opt-data interface
* Reorder test-snapd-policy-app-consumer snap.yaml file
* Finish the spread test for ros-opt-data
Mounted folder inside is different from the outside,
mocks are now using 2 different values
* Fixup remove unnecessary line in ros-opt-data test
* Do not have ros opt data interface implicit on Core
* sandbox/apparmor: read apparmor kernel sub-features
These are required to be able to detect whether the running kernel supports the
use of the unconfined profile mode amongst others.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: add support for probing parser for unconfined flag
AppArmor 4.0 introduced a new flag named unconfined - since this is a profile
flag rather than part of the main profile syntax, also add support for probing
for flags within AppArmor profiles.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/apparmor: add support for unconfined profile flag
Add a new unconfined attribute to the AppArmor specification which is used to
denote that a profile should include the unconfined flag. Then refactor flag
handling within the AppArmor backend so that both this new flag and the complain
flag (used for classic and dev mode snaps) are handled together. Finally, only
emit this flag when we are sure both the AppArmor parser and kernel provide
appropriate support.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/builtin/lxd_support: add userns and unconfined permissions
LXD requires the use of unprivileged userns and the ability to run unconfined -
so support for both of these to the lxd-support interface.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main/lxd: verify apparmor profile has expected perms on mantic
On Ubuntu 23.10 the LXD snap should run with the new unconfined profile flag and
with the userns AppArmor permission, so check for these via spread.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: rework AppArmor unconfined mode to be a static property
As suggested by @pedronis, refactor the implementation of AppArmor unconfined
profile mode to be a static property of an interface so that it is much more
tightly coupled to the interface itself. Add various tests as well to ensure
that only super-privileged interfaces can use this property too.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* tests/main/lxd: add details to the spread test
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: test kernel sub-features
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: clarify comment regarding AppArmorUnconfined{Plugs,Slots}
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/policy: check for unconfined plug/slots outside type loop
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* sandbox/apparmor: fix double space in profiles when probing parser
Thanks for the suggestion @MiguelPires
Signed-off-by: Alex Murray <alex.murray@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
This is intended to make auto-connect on classic systems work when the
cups snap is also installed. If the cupsd is installed, application
snaps should connect to system:cups-control. If not, then they should
connect to cups:cups-control.
incorporate into it and update the patterns described in basedeclaration.go
have a few relevant doc comments point to it
* tweaks
* interfaces: incorporate suggestions from @degville with some tweaks
thanks
* interfaces: incorporate fixes from @MiguelPires
thanks
This is a first go at an interface to allow a snap to register as a Polkit agent. The primary use case is for the Ubuntu Core Desktop system we're building. The implicit slot is not available on classic systems, since there is no reasonable way to implement it given the variability in the PAM and NSS configurations found on those systems.
Here's a brief description of how a Polkit agent operates:
The agent registers with polkitd by calling the RegisterAgent D-Bus method. In general, it will register as an agent for all processes that belong to a particular logind session.
When a system daemon makes a CheckAuthorization call to polkitd for a subject that is covered by the agent, polkitd will make a BeginAuthentication call to the agent. This includes the requested action ID, a message to show the user, and a cookie string to identify the authentication request.
The agent runs the setuid polkit-agent-helper-1 executable as a sub-process. The helper begins the PAM authentication process, and delegates any prompts to the agent via messages on stdin/stdout.
On completion of the authentication process (either success or failure), the helper makes an AuthenticationAgentResponse2 method call to polkitd, using the cookie to identify the request. Polkitd trusts the response because the D-Bus connection credentials show that the helper is running as root.
Polkitd responds to the system daemon with this result, allowing it to decide how to respond to its client.
This poses a number of difficulties for a snap based system:
The snap needs to be able to execute a setuid binary.
The setuid binary is going to inherit some security config from its parent process, including:
mount name space: it will be running in the snap's sandbox, so the sandbox will need to provide all the PAM modules referenced by the system's configuration, and have access to all data files and services those modules use.
seccomp filters: the parent's seccomp filter will need to allow all access the setuid helper requires. One obvious case that has come up is access to the kernel audit subsystem.
The need to support the host system's PAM config mostly rules out getting this to work on Classic systems. On Core systems though, things will generally work if the snap uses the same base as the boot file system (or something sufficiently similar).
The interface makes use of AppArmor's ability to switch profiles on exec(). We switch to a sub-profile tailored to what polkit-agent-helper-1 needs. Namely:
Include nameservice and authentication abstractions to enable use of PAM. Also grant access to extrausers shadow files, which aren't currently included in authentication.
Allow audit_write and sys_nice capabilities, which are used by the installed PAM modules
Allow SIGTERM signals from the calling snap: this is sent when the user cancels authentication. The corresponding rule allowing the agent to send the signal is covered by the default snap AppArmor template.
Allow communication with polkitd over the D-Bus system bus to make the AuthenticationAgentResponse2 method call.
The interface is locked down with allow-installation: false on the plug side, since it allows running a privileged process in a mount namespace under the control of the snap. Through the use of layouts, it's possible that the snap could replace shared libraries loaded by the helper. Even though the helper is locked down through an AppArmor sub-profile, it seems reasonable to vet snaps that request this access.
I don't have a spread test for this, as we don't have any ubuntu-core-* systems with polkit integrated, and I'm not all together certain how I'd structure a test for this. We have been manually testing the interface on Core Desktop builds though.
* interfaces: add a polkit-agent interface
* interfaces: use a subprofile to run polkit-agent-helper-1 in polkit-agent interface
* interfaces: only look for polkit-agent-helper-1 in /usr/libexec
Prior to Ubuntu 22.04, the polkit executables were installed in
/usr/lib/policykit-1. As there is practically zero chance of polkit
being integrated into these older Ubuntu Core versions, there's no
benefit checking the old path.
let connect/auto-connect only to an upower-observe implicit slot by default,
this will require changes to review-tools to detect that for an app slot
dedicated rules in snap-declaration are needed
these can be useful in the base-declaration in situations where
a slot can be app-provided or implicit both on classic and core
now we have at least one use case like this for upower-observe
as core/system snaps so far provide only slots there is no use
case for adding plug-side plug-snap-type connection constraints
* Mount system fonts via app desktop slot
* interfaces: update desktop tests to match changes to interface
* interfaces: note that desktop interface allows app slot implementations
* tests: add desktop slot to test-snapd-policy-app-provider-core
* interfaces: deny connection of desktop interface by default on Ubuntu Core.
* tests: add a spread test for providing a desktop slot on Ubuntu Core
* interfaces: add support for xdg-desktop-portal to app-provided desktop slot
In this setup, we expect xdg-desktop-portal and xdg-document-portal to
be running outside of confinement (as snap userd does), with the user
interface backend services running in the context of the slot snap.
* interfaces: add a comment about the assumption that a snap providing a
desktop slot uses the boot base snap as its base.
* Fix documents portal not being launched
It uses a different bus name from the desktop portal.
* interfaces: fix up permanent slot rules for desktop interface
* interfaces: update desktop slot declaration to only allow app snaps to provide the slot under the minimal install check
* interfaces: add access to files necessary for xdg-user-dirs to the
desktop slot
* interfaces: add file access covering what the ubuntu-desktop-session:shell-config-files system-files plug granted
* interfaces: add a comment noting the unusual base declaration for desktop
* interfaces: make desktopPermanentSlotAppArmor a constant
---------
Co-authored-by: Marcus Tomlinson <marcus.tomlinson@canonical.com>
Co-authored-by: Robert Ancell <robert.ancell@canonical.com>
Co-authored-by: Ken VanDine <ken.vandine@canonical.com>
* sandbox/apparmor: Add probing for userns support in host AppArmor
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/builtin/userns: Add new userns interface
Add a new super-privileged interface that allows a snap to bypass any AppArmor
restrictions on user namespace creation on the host. Since this is only
supported in very new AppArmor releases, when the host AppArmor does *not*
support this feature, it is implicitly assumed to be allowed.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/browser-support: Add AppArmor userns with allow-sandbox
When allow-sandbox is true, and the host system's AppArmor supports mediating
userns, ensure we include this permission in the generated AppArmor profile
snippet.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/docker-support: Add AppArmor userns support
When the host system's AppArmor supports mediating userns, ensure we include
this permission in the generated AppArmor profile snippet.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/userns: Add clone to seccomp filter
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/greengrass-support: Add AppArmor userns support
When the host system's AppArmor supports mediating userns, ensure we include
this permission in the generated AppArmor profile snippet for the privileged
mode flavors of this interface. This keeps the AppArmor and seccomp profiles
consistent as we also allow unshare in the seccomp profile for these flavors as
well.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: Unit test AppArmor userns in [docker|greengrass]-support
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: propagate error from apparmor_sandbox.ParserFeatures()
If this fails then something is definitely not right so don't silently ignore
it.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces: use nil in-place of []string{} for better readability
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/userns: rework AppArmorConnectedPlug() error handling
Don't ignore errors from apparmor_sandbox.ParserFeatures() but allow to more
concisely handle the case where the parser does not support userns.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/userns: use correct super-privileged base declaration
Also declare this slot as implicit on both core and classic since it is provided
by the system's AppArmor parser etc.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
* interfaces/userns: fix to wire up interface declaration properly
Also fix the associated unit tests to properly test that this interface is
super-privileged as expected and is implicit on core / classic too.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
---------
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
