interfaces/default: allow mknod for regular files, pipes and sockets (LP: #1636540) #2749
Conversation
This add SCMP_CMP_MASKED_EQ support for doing |S_IFIFO in the policy to support mknod which uses bitmasks for the permissions and file type.
|
@tyhicks - can you take a look at the policy syntax changes? |
| @@ -423,7 +435,12 @@ static int parse_line(char *line, struct seccomp_args *sargs) | |||
| if (errno != 0) | |||
| return PARSE_ERROR; | |||
|
|
|||
| sargs->arg_cmp[sargs->length] = SCMP_CMP(pos, op, value); | |||
| if (op == SCMP_CMP_MASKED_EQ) | |||
There was a problem hiding this comment.
Can you please explain the reasoning behind this? I'm just unfamiliar and I'd like to understand it better.
There was a problem hiding this comment.
SCMP_CMP_MASKED_EQ is what you use to check bitmasks (eg, '|S_IFREG'). Since for mknod(2) the second argument is a bitmask for mode_t, we need to see if S_IFREG is set within the mode_t, and you do that with SCMP_CMP_MASKED_EQ. Because SCMP_CMP takes an additional argument for the mask when op is 'SCMP_CMP_MASKED_EQ', we check if the op is 'SCMP_CMP_MASKED_EQ' and give that extra argument, otherwise we do like we've always done. It is sufficient for us to use 'value' for both the mask and the datum because if we have have rule mknod - |S_IFREG - then <mode_t>|S_IFREG matches S_IFREG when using something like mknod(..., S_IFREG|S_IRUSR|S_IWUSR, ...).
For more information, see 'man 3 seccomp_rule_add'.
|
Closing for the moment since the spread test failure needs to be investigated. |
- adjust common.sh to create a temp dir in /run/shm that is auto-cleaned - put the pipes in /run/shm since run is shared between global and app mount namespace - adjust logic of perms test to use 'stat' instead of 'test -w' for when the testsuite is run as root (as with spread) - adjust common.sh to add more helpful debug output as part of FAIL
- disable kernel rate limiting - also search for seccomp denials in debug output
|
The final logged seccomp event is about system call 201 which on x86 is |
|
@zyga - the geteuid32 is in the default policy but the denial is not from this test. I think it is from test_restrictions, but I'll make this test clearer so the geteuid32/geteuid stops confusing people. If you look at the latest travis failure, it is in linode:ubuntu-16.04-32:tests/main/gccgo. c-unit-tests passes everywhere now. The failure in linode:ubuntu-16.04-32:tests/main/gccgo is confusing since c-unit-tests is passing and so are the autopkgtests (minus ppc64el). I'll take a look at that test now. |
|
And of course, this seems to be an intermittent failure: |
|
I checked the original log and saw that linode:ubuntu-16.04-32 went to Spread-C and Spread-D. Perhaps Spread-C or Spread-D is out of date? |
Seccomp logs might show up as: audit: type=1326 audit(1485875879.395:1909): auid=1000 uid=0 gid=0 ses=14 pid=13916 comm="snap-confine" exe=".../snap-confine" sig=31 arch=c000003e syscall=107 compat=0 ip=0x7f5a332e46a7 code=0x0 Some tests have expected failures but these tests are all logged as comm="snap-confine" exe="/path/to/snap-confine" which leads to confusion when debugging (eg, in the above example syscall 107 (geteuid) was blocked, but it is in the list of common syscalls. This denial is from test_restrictions which is expected to have geteuid blocked). The fix is to copy snap-confine to the name of the test so that exe and comm use the name of the test. Eg: audit: type=1326 audit(1485956974.614:58308): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=3472 comm="test_restrictio" exe="/tmp/tmp.dsDGaRXxWx/test_restrictions" sig=31 arch=c000003e syscall=107 compat=0 ip=0x7f5bd35446a7 code=0x0
|
This is annoying. The autopkgtests fail with tests/main/gccgo and so does continuous-integration via travis, but locally and running |
|
Ok, finally got gccgo test to work. Now unrelated tests are failing: |
|
After a couple of tries, the unrelated tests (finally) passed. |
|
FYI, @tyhicks and I discussed the syntax changes over IRC and hangout and we agreed the syntax changes in this PR are ok. |
|
It is my understanding that this is now unblocked, so removing that tag, but closing until I have a chance to review and retest everything. |
|
I'm told that we can start landing the seccomp changes since snap-confine now is re-exec'd as necessary on classic. |
tests/unit/c-unit-tests/task.yaml
Outdated
| @@ -37,4 +37,4 @@ debug: | | |||
| # Show the test suite failure log if there's one | |||
| cat $SPREAD_PATH/cmd/autogarbage/test-suite.log || true | |||
| # Show seccomp audit messages | |||
| tail /var/log/kern.log | grep -F type=1326 | |||
There was a problem hiding this comment.
This is now in default debug-each so we could drop this copy.
data/info
Outdated
| @@ -1 +1 @@ | |||
| VERSION=unknown | |||
| VERSION=2.24 | |||
There was a problem hiding this comment.
Hrmm, that came in as a result of the merge from trunk. Removing.
| @@ -383,4 +391,6 @@ prepare_all_snap() { | |||
| tar czf $SPREAD_PATH/snapd-state.tar.gz /var/lib/snapd $BOOT | |||
| systemctl start snapd.socket | |||
| fi | |||
|
|
|||
| disable_kernel_rate_limiting | |||
There was a problem hiding this comment.
I think it is these that are causing the issues with the testsuite. There are tons of apparmor denials in the snapd-reexec test for snap.network-bind-consumer.network-consumer:
2017-04-19 13:36:01 Error executing linode:ubuntu-14.04-64:tests/main/snapd-reexec :
-----
+ '[' '' = 0 ']'
+ echo 'Ensure we re-exec by default'
Ensure we re-exec by default
+ snap list
2017/04/19 13:35:59.295076 main.go:237: WARNING: cannot create syslog logger
2017/04/19 13:35:59.431711 main.go:237: WARNING: cannot create syslog logger
Name Version Rev Developer Notes
core 16-2 1736 canonical -
+ MATCH 'DEBUG: restarting into'
+ journalctl
error: pattern not found, got:
-- Logs begin at Wed 2017-04-19 13:31:24 UTC, end at Wed 2017-04-19 13:31:25 UTC. --
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6094): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6095): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"
I'm going to revert the disabling of rate limiting for now so this PR will pass and add a forum topic that the tests should be able to run with this enabled.
|
The xenial-i386 failure is unrelated: |
|
Thanks for the reviews and merge! :) |
This adds SCMP_CMP_MASKED_EQ support for doing things like '|S_IFIFO' in the policy to support
mknod which uses bitmasks for the permissions and file type. Developing this PR uncovered a number of testsuite rough edges, so fix those along the way.