Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] many: non-setuid snap-confine, caps v4 #15094

Draft
wants to merge 36 commits into
base: master
Choose a base branch
from
Draft

[WIP] many: non-setuid snap-confine, caps v4 #15094

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
12f815c
cmd/snap-confine: update cgroup code to run under an ordinary user
mardy Nov 10, 2022
66ba243
snap-confine: create helper function to set capabilities
mardy Nov 9, 2022
d97d182
libsnap-confine-private: add more capability-related methods
mardy Nov 10, 2022
61b4cc8
cmd/snap-confine: drop setuid and use capabilities instead
mardy Nov 10, 2022
c379864
snap-confine: get the current working directory as a user
mardy Nov 10, 2022
c207b68
cmd/snap-confine: add a few debug checkpoints for capabilities
mardy Nov 10, 2022
af0a3a4
snap-confine: update apparmor profile for capability support
mardy Nov 10, 2022
eeaec37
cmd/snap-update-ns: explicitly specify ownership of mount profile
mardy Nov 10, 2022
9da1bc8
snap-confine: move AppArmor check earlier
mardy Nov 15, 2022
461ae9a
snap-confine: remove calls to sc_set_effective_identity()
mardy Nov 8, 2022
87cd9ae
packaging: set capabilities
Meulengracht Jan 2, 2024
4385c73
cmd/make: setcap capabilities when using 'hack' target
bboozzoo Feb 21, 2025
b4b97b8
cmd/make: install-exec-hook is no longer needed
bboozzoo Feb 21, 2025
b18f4a5
cmd/snap-confine: raise root privileges before creating the cgroup fr…
bboozzoo Jan 23, 2025
0e99a15
snapcraft: set snap-confine capabilities
bboozzoo Jan 24, 2025
51f4099
tests/main/snap-confine-caps: verify snap-confine file capabilities
bboozzoo Feb 18, 2025
382ce05
snapcraft: workaround snap pack xattr support HACK
bboozzoo Feb 18, 2025
34613bd
github: snap-builds: use fakeroot when extracting
bboozzoo Feb 18, 2025
26649d9
cmd/libsnap-confine-private: mkdir(at) & chmod helpers
bboozzoo Feb 19, 2025
e29ebbc
cmd/configure: check whether libcap supports cap_set_ambient
bboozzoo Feb 21, 2025
704b6d2
cmd: provide alternative cap_set_ambient, cap_reset_ambient
bboozzoo Feb 20, 2025
804bcc1
cmd/snap-confine/mount: TODOs
bboozzoo Feb 21, 2025
4d5fc9a
cmd/libsnap-confine-private: nonsetuid TODO
bboozzoo Feb 21, 2025
1e9564e
cmd/snap-confine: consolidate on using libcap and smart capability ha…
bboozzoo Feb 21, 2025
162e8b7
data/selinux: update SELinux policy
bboozzoo Feb 21, 2025
149f4fb
cmd/libsnap-confine-private/tool: do not change identity when switchi…
bboozzoo Feb 25, 2025
ee9ac50
cmd/snap-update-ns/bootstrap: verify capabilities, no uid switching
bboozzoo Feb 25, 2025
91e4949
cmd/snap-confine: drop unnecessary s-u-n caps
bboozzoo Feb 25, 2025
375e233
cmd/libsnap-confine-private/privs: simplify dropping privileges
bboozzoo Feb 25, 2025
6af630a
cmd/snap-discard-ns: asssert process capabilities
bboozzoo Feb 26, 2025
0159d2c
cmd/libsnap-confine-private/tool: no identity change when invokign sn…
bboozzoo Feb 26, 2025
db89a7f
tests/main/progress: collect verbose debug log from socat
bboozzoo Feb 26, 2025
bd9a522
fixup! tests/main/snap-confine-caps: verify snap-confine file capabil…
bboozzoo Feb 26, 2025
cf31fea
fixup! data/selinux: update SELinux policy
bboozzoo Feb 26, 2025
fb92de0
tests/main/snap-quota: explicitly remove all created groups during re…
bboozzoo Feb 26, 2025
c304154
tests/main/snap-confine-undesired-mode-group: fix wording and checks
bboozzoo Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
packaging: set capabilities 
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
  • Loading branch information
@Meulengracht @bboozzoo
Meulengracht authored and bboozzoo committed Feb 26, 2025
commit 87cd9ae3671b61808e0be63a0a4c5d4355e7da44
2 changes: 1 addition & 1 deletion packaging/arch/PKGBUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

pkgname=snapd
pkgdesc="Service and tools for management of snap packages."
depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'apparmor')
depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'libcap' 'apparmor')
optdepends=('bash-completion: bash completion support'
'xdg-desktop-portal: desktop integration')
pkgver=2.68
Expand Down
4 changes: 4 additions & 0 deletions packaging/arch/snapd.install
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## arg 1: the new package version
post_install() {
/usr/bin/setcap \
cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p \
/usr/lib/snapd/snap-confine

echo
echo 'To use snapd start/enable the snapd.socket'
echo
Expand Down
6 changes: 6 additions & 0 deletions packaging/debian-sid/snapd.postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ case "$1" in
fi
# Ensure that the void directory has correct permissions.
chmod 111 /var/lib/snapd/void

# TODO update caps
setcap \
cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p \
/usr/lib/snapd/snap-confine
;;
esac

#DEBHELPER#
6 changes: 3 additions & 3 deletions packaging/fedora/snapd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -901,8 +901,9 @@ make -C data -k check
%license COPYING
%dir %{_libexecdir}/snapd
# For now, we can't use caps
# FIXME: Switch to "%%attr(0755,root,root) %%caps(cap_sys_admin=pe)" asap!
%attr(4755,root,root) %{_libexecdir}/snapd/snap-confine
# TODO:nonsetuid: update caps
# TODO:nonsetuid: use define
%caps(cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p) %{_libexecdir}/snapd/snap-confine
%{_libexecdir}/snapd/snap-device-helper
%{_libexecdir}/snapd/snap-discard-ns
%{_libexecdir}/snapd/snap-gdb-shim
Expand Down Expand Up @@ -1004,7 +1005,6 @@ if [ $1 -eq 0 ]; then
fi
%endif


%changelog
* Thu Feb 13 2025 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.68
Expand Down
3 changes: 2 additions & 1 deletion packaging/opensuse/permissions
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
/usr/lib/snapd/snap-confine root:root 4755
# TODO set caps
/usr/lib/snapd/snap-confine root:root 0755 +capabilities cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p
3 changes: 2 additions & 1 deletion packaging/opensuse/permissions.easy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
/usr/lib/snapd/snap-confine root:root 4755
# TODO set caps
/usr/lib/snapd/snap-confine root:root 4755 +capabilities cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p
2 changes: 1 addition & 1 deletion packaging/opensuse/permissions.paranoid
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
/usr/lib/snapd/snap-confine root:root 755
/usr/lib/snapd/snap-confine root:root 755
3 changes: 2 additions & 1 deletion packaging/opensuse/permissions.secure
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
/usr/lib/snapd/snap-confine root:root 4755
# TODO set caps
/usr/lib/snapd/snap-confine root:root 0755 +capabilities cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p
3 changes: 2 additions & 1 deletion packaging/opensuse/snapd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,8 @@ fi
%ghost %{_sharedstatedir}/snapd/state.json
%ghost %{_sharedstatedir}/snapd/system-key
%ghost %{snap_mount_dir}/README
%verify(not user group mode) %attr(04755,root,root) %{_libexecdir}/snapd/snap-confine
# TODO update caps
%verify(not caps) %attr(0755,root,root) %{_libexecdir}/snapd/snap-confine
%{_bindir}/snap
%{_bindir}/snapctl
%{_datadir}/applications/io.snapcraft.SessionAgent.desktop
Expand Down
7 changes: 7 additions & 0 deletions packaging/ubuntu-16.04/snapd.postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,13 @@ case "$1" in
if dpkg --compare-versions "$2" lt-nl "2.45.2"; then
pkill -f "snap userd" || true
fi

# TODO update caps
setcap \
cap_dac_override,cap_dac_read_search,cap_sys_admin,cap_sys_chroot,cap_chown,cap_fowner,cap_sys_ptrace,cap_setuid,cap_setgid=p \
/usr/lib/snapd/snap-confine

;;
esac

#DEBHELPER#