forked from canonical/snapd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
i/apparmor: add snippets with priorities (canonical#14061)
* Add snippets with priorities AppArmor rules that forbid access to a resource have more priority than rules that allow access to those same resources. This means that if an interface restricts access to an specific resource, it won't be possible to enable access to that same resource from another, more privileged, interface. An example of this is reading the .desktop files of all the installed snaps in the system: the superprivileged interface 'desktop-launch' enables access to these files, so any snap that has a connected plug for this interface should be able to read them. Unfortunately, the 'desktop-legacy' interface explicitly denies access to these files, and since it is connected automatically if a snap uses the 'desktop' or the 'unity7' interfaces, this mean that no graphical application will be able to read the .desktop files, even if the super- privileged interface 'desktop-launch' interface is connected. To allow this specific case, a temporary patch ( canonical#13933) was created and merged, but it is clearly an ugly and not-generic solution. For this reason, this new patch was created, following the specification https://docs.google.com/document/d/1K-1MYhp1RKSW_jzuuyX7TSVCg2rYplKZFdJbZAupP4Y/edit This patch allows to add "prioritized snippets". Each one has an UID and a priority. If no prioritized snippet with the same UID has been previously added, the new prioritized snippet will be added like any other normal snippet. But if there is already an added snippet with the same UID, then the priority of both the old and the new snippets are compared. If the new priority is lower than the old one, the new snippet is ignored; if the new priority is bigger than the old one, the new snippet fully replaces the old one. Finally, if both priorities are the same, the new snippet will be appended to the old snippet. This generic mechanism allows to give an interface priority over others if needed, like in the previous case. * Remove slices.Contains, since seems to be not supported * Update interfaces/apparmor/spec.go Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]> * Use testutils.Contains * Replace "uid" with "key" for clarity and sanity * Add specific type for priority keys and force registering them * Remove unneeded return * Use SnippetKey as type * Don't use "slice" since MacOS seems to not support it * Update interfaces/apparmor/spec.go Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]> * Update interfaces/apparmor/spec.go Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]> * Use String instead of GetValue * Use SnippetKey as key instead of the inner string * Update interfaces/connection.go Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]> * Several changes requested * Create the SnippetKeys inside Spec * Move key registration outside Spec This creates a centralized key registry inside apparmor module, so keys can be registered using top variables, and any duplicated key will produce a panic when snapd is launched, thus just panicking in any test too. * Added extra ways of working with SnippetKeys * Add extra check * Replace GetSnippetKey with GetSnippetKeys * Update the priority code use case A previous PR was merged with a Quick&Dirty(tm) solution to the priority problem between unity7 and desktop-legacy interfaces against desktop-launch interface. Now that it has been merged, that code must be updated to the new mechanism implemented in this PR. This is exactly what this commit does. * Add explanation and constants for prioritized snippets * Fix prioritized snippet key and add test in all_test * Several changes requested by Zygmunt Vazyli --------- Co-authored-by: Zygmunt Bazyli Krynicki <[email protected]>
- Loading branch information
1 parent
2979492
commit c59a5f6
Showing
8 changed files
with
252 additions
and
90 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.