Wednesday 15 August 2018

Re: RFC: baseline requirements for Ubuntu rootfs: xattrs and fscaps

On Mon, 2018-08-06 at 23:23 +0100, John Lenton wrote:
> On Mon, 6 Aug 2018 at 22:53, Steve Langasek <steve.langasek@ubuntu.co
> m> wrote:
> >
> > Thanks, that's a useful data point. Do you think it is a practical
> > concern
> > for snaps if an Ubuntu rootfs uses fscaps? Is this an argument
> > against
> > allowing fscaps in Ubuntu, or should it just be a matter for
> > snapcraft to
> > warn/error about on creation, guiding users to using setuid
> > instead?
> >
> > As a worked example: the core snap does ship /bin/ping, which is
> > currently
> > setuid-root in Ubuntu but would move to fscaps in this
> > proposal. (The core
> > snap does not include mtr-tiny.) What do you believe is the
> > correct outcome
> > here for /bin/ping in a future ubuntu core 20 snap?
>
> Given that fine-grained fscaps are better than blanket setuids, I
> expect core 20 to embrace them wholeheartedly.
> However, getting there will involve the whole
> snapcraft/snapd/review-tools/snapstore stacks for at least a little
> bit of work.
>
> We need to sit down and decide what shape that support is going to
> take (basically: can everybody have xattrs & fscaps, or is it just
> base snaps? any base snap, or only core? policy decisions, involving
> security). I don't expect it to be controversial, unless we want to
> enable a snapped application to use fscaps.
>
FYI, I don't think we should blindly allow fscaps for 'app' snaps since
this is a huge can of worms. *But* we can and in fact already do allow
fscaps (and setuid, setgid, non-root uids, etc, etc) in the privileged
base and os snaps.

> We need to do a bit of research _today_, because already 16.04 has
> tools that rely on fscaps: this conversation has had me notice that
> systemd-detect-virt, that we ship in core and use from snapd in a
> couple of places (and in particular to check whether we need to use
> squashfuse) is using caps instead of setuid, meaning that in core for
> a regular user it probably won't work properly. So we'll need to look
> into exactly how it's being used; I _think_ we're testing them as
> root, and only expect to be using them as root, but we'll have to
> chase it down.

I suspect if you built the core snap without -no-xattrs, it would work.
It might not, but IMO that would be a bug (I certainly would expect
them to in os and base snaps).

--
Jamie Strandboge | http://www.canonical.com