/srv/irclogs.ubuntu.com/2021/06/30/#snappy.txt

=== Ringtailed_Fox is now known as RingtailedFox
mborzeckimorning04:54
mborzeckimorning04:55
mardymborzecki: hi!04:59
mborzeckimardy: heya05:00
mborzeckimardy: have you figured out that mount control interface?05:01
wezHi, does snappy plan on moving away from squashfs at some point?  My CPU and CPU fan would appreciate it.05:22
mardymborzecki: the only question left is why we accept a list of types for the mount, rather than a single type. But it's a detail, not blocking me05:45
mborzeckiwez: not that i'm aware of, but different compression methods are in use, lzo iirc which should be much more cpu friendly05:46
mardywez: you might find this relevant: https://forum.snapcraft.io/t/squashfs-performance-effect-on-snap-startup-time/1392005:49
pedronisI need to re-review this but it also needs other reviews https://github.com/snapcore/snapd/pull/1042006:39
pstolowskimorning07:07
mborzeckipstolowski: hey07:09
mvogood morning pstolowski, mborzecki and pedronis 07:10
mborzeckipedronis: and good morning to you too07:10
wezmborzecki, mardy: Thank you both!07:11
mborzeckimvo: hey, thanks for landing that PR07:12
mardyfrom 1 to 10, how horrible would it be if from interfraces/buildin/mount-control.go I called the resolveSpecialVariable() function defined in content.go? :-)07:20
zyga-mbpgood morning07:20
zyga-mbpmardy: hmmm07:20
mvogood morning mardy and zyga-mbp 07:20
zyga-mbpmardy: there are two functions like that and I don't think they are exactly the same (unfortunately)07:21
mardyfor the time being I'll just replicate the method with another name, and then -- if confirmed that I really need it -- I can move it to another file and share it across the two interfaces07:21
mardyhi zyga-mbp, mvo 07:21
zyga-mbpmardy: I'm sick today so my memory is rusty but IIRC they don't allow the exact same things07:21
zyga-mbpbut give it a try and ping me for a review, I'll gladly look07:21
mardyzyga-mbp: currently there's just one function, it's resolveSpecialVariable() in content.go. Now I'm writing a new interface (mount-control), and I think I could use the same function07:22
zyga-mbpmardy: there's another function that looks and feels like resolve special variable07:22
zyga-mbpI really don't remember where but there are two07:22
zyga-mbpmvo: hey :)07:23
pedronismvo: do I misremember:  https://github.com/snapcore/snapd/pull/10449#discussion_r661199310 ?07:25
mardymvo: I think you once mentioned that protecting filesystem resources via chroot and namespaces is insecured as it can be trivially bypassed; that only applies if plain chroot() is used, right? Or is pivot_root unsecure too?07:35
mardy(it's not related to what I'm working on, it's just a curiosity)07:36
mvopedronis: I think you are right, was mostly wondering what we should do for corner cases like a pi that has no config.txt for some reason and someone sets pi-config.some-option=1. but otoh I'm not even sure a system without config.txt will even boot07:36
mborzeckimardy: you want pivot_root, chroot can be trivially bypassed07:36
zyga-mbpmardy: pivot_root breaks apparmor if you think about it 07:36
zyga-mbpmardy: chroot is IIRC now unprivileged and doesn't really buy much security 07:37
mborzecki`sshpass -p ubuntu ssh -p 8022 -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user1@localhost date -d tomorrow "+%Y-%m-%d %T"` hmm gives `date: extra operand ‘%T’`07:37
mborzeckibut `sshpass -p ubuntu ssh -p 8022 -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user1@localhost sh -c 'date -d tomorrow "+%Y-%m-%d %T"'` works as expected07:37
mborzeckioh how i hate shell quoting07:38
mvomardy: not sure I said this about namespacing, but definitely about chroot. let me quickly look at pivot_root07:40
mborzeckihm nope, still broken07:41
zyga-mbpmvo: pivot_root affects apparmor path resolution07:41
zyga-mbpmvo: if you can mount and pivot_root you can break out of the sandbox07:42
mborzeckihmm hmm, so passing parameters with spaces to nested_exec is broken07:43
mborzeckiand that's because sshpass appears to do the wrong thing07:43
mborzeckioh well, i'm just dump07:48
mborzeckidumb07:48
mardyzyga-mbp: you mean, one could mount a partition like /dev/sda1 and the re-pivot to that, or something else? If one does not expose /dev/sd* (and other block devices) to the chroot, would you still be able to escape?07:54
zyga-mbpmardy: so first of all, the apparmor profile allows you do do certain things07:55
zyga-mbpbut all that is based on paths07:55
zyga-mbppivot_root lets you create arbitrary new place that apparmor thinks is /07:55
zyga-mbpso if we allow you do do anything in $SNAP_DATA07:55
zyga-mbpyou can put the entire system in $SNAP_DATA07:55
zyga-mbpand then modify snapd state.json07:55
zyga-mbpand that's it07:55
zyga-mbpas for your question07:56
zyga-mbpagain, it all depends07:56
zyga-mbpif there's a way for you to mount a block device all hope is lost07:56
zyga-mbpall snaps see device nodes in /dev07:56
zyga-mbpif apparmor was not blocking mounts, you'd be able to break out easily07:57
zyga-mbpI'm not sure exactly how powerful you want mount-control to be07:57
zyga-mbpthere are ranges of options here07:57
zyga-mbpfrom super-privileged to mildly privileted07:57
zyga-mbp*privileged07:57
mardyzyga-mbp: my concern is about distros where we don't have apparmor; would security there be improved, if we setup a chroot (with pivot_root) and didn't mount /dev/ block devices into that?07:57
zyga-mbpthere are now interesting ways to do mount mediation07:57
zyga-mbplxd is using some of that07:58
zyga-mbpmardy: no07:58
zyga-mbpmardy: without apparmor the sandbox is entirely ineffective today07:58
zyga-mbpmardy: you can just spin up a service that runs as root, talk to udisks and ask it to mount whatever you want07:59
zyga-mbpmardy: this is just a random example, I'm sure there are countless other attacks that entirely break out of the sandbox07:59
zyga-mbpmardy: I mean, without apparmor you can just go to hostfs and modify /boot08:00
zyga-mbpor drop a new systemd unit08:00
zyga-mbpor whatever08:00
mardyzyga-mbp: right, but then udisks itself is a rather privileged interface, I guess?08:00
zyga-mbpmardy: without apparmor, there is no control over what dbus traffic is allowed08:00
zyga-mbpmardy: on a Fedora system or on a Debian system where dbus is not mediated by apparmor, you can break out instantly 08:00
pedroniszyga-mbp: mount-control will be superprivileged, also like system-files it will have allow lists about device and mountpoints08:06
zyga-mbppedronis: for a super-privileged interface things are easier08:07
zyga-mbpif the interface also comes with a list of what is effectively allowed08:07
zyga-mbpyou can synthesize the apparmor profile that captures that08:07
zyga-mbpthere's one complexity though08:07
zyga-mbpwe don't have any logic that would react to the snap performing some mounts in arbitrary places08:08
zyga-mbpand the mount profile being updapted08:08
zyga-mbpit's likely that a mount performed by the snap itself08:08
zyga-mbpwill either be undone by any mount changes done by snap-update-ns (and those can happen just because some other snap refreshes)08:08
zyga-mbpor worse, snap-update-ns can fail, leaving the mount namespace of that snap in a corrupted state08:08
pedronisI understand but the main use case is actually super privileged, is about mounts int the host, not even the snap namespace08:09
pedronisanyway another reason to have a allow list, I would expect some mounts to make no sense, or be very fragile because of the namespace08:10
zyga-mbppedronis: can you give me an example of what might be mounted?08:12
zyga-mbpI'm asking because there's one more special bit that is relevant here08:13
zyga-mbppropagation settins08:13
zyga-mbp*settings08:13
zyga-mbpcurrently snaps cannot technically mount anything that would show up on the host, except for the /mnt directoy08:13
zyga-mbpto be clear: if a snap is allowed to do any mounts, and then mounts something on the host's /foo/bar, then that will not be really visible on the host's default mount namespace08:14
pedroniszyga-mbp: we will do also persistent mounts on behalf of snaps, via snapctl likely as there isn't thing that we can easily mediate that allows for that08:14
zyga-mbpbecause that mount event will not reach the hosts default mount namespace 08:14
zyga-mbppedronis: we could do the same thing that lxd is doing, seccomp based mount mediation08:14
pedronisI said persistent, I mean fstab or mount units08:15
zyga-mbpmardy: do you know about how snap-confine sets up /mnt or /media for mount event propagation?08:15
zyga-mbppedronis: I see08:15
zyga-mbpso the actual mount would happen on the host08:15
zyga-mbpnot in the snap08:15
zyga-mbp(mount namespace)08:15
pedronissometimes yes08:15
zyga-mbppedronis those are probably least problematic then08:18
zyga-mbpsince they can only affect hostfs and not what snap-update-ns does 08:18
mborzeckiheh, opensuse TW has ssh configuration in /usr/etc/ now08:21
mborzeckithe /etc/ssh/ directory is almost empty, definitely there's no ssh_config there08:22
pedroniszyga-mbp: afaict only /media (and /run/netns) are setup bidirectional in snap-confine, /mnt isn't08:23
zyga-mbpmborzecki: WAT? /usr/etc?08:32
mborzeckizyga-mbp: yeah, see https://build.opensuse.org/request/show/88879908:32
mborzeckizyga-mbp: they went through /usr/share/ssh at first ;)08:32
zyga-mbppedronis: my memory may have been rusty08:32
zyga-mbppedronis: you are right, and there's also /run/media depending on distro08:33
zyga-mbpmborzecki is that a FHS compliant location08:33
mborzeckihm idk, /usr/local/etc would be, but not quite sure about /usr/etc08:34
mborzeckinot that i care much either08:34
mborzeckizyga-mbp: and tbh with immutable hosts, i'm not sure people care that much about it still08:36
zyga-mbpmborzecki: yeah but remember the /snap drama08:36
zyga-mbpoh my they said08:36
mborzeckiwell, i guess it depends on who makes the change ;)08:37
mborzeckithe preseed spread test is failing now that lxd switched to core2008:53
pedronismborzecki: didn't you just merge the fix for that?09:02
mborzeckipedronis: yeah, was about to fix that when i found a pr from sergio that was ready to land09:03
pedronismborzecki: I merged your cgroup.freeze PR09:04
mborzeckipedronis: thanks!09:04
mborzeckipedronis: i think i've found a bug, the seed system that gets created has the old model, even though the right assertion seems to be passed around09:53
mborzeckipedronis: seedwriter fetches the model from the db?09:54
mborzeckiso if the new model is just a revision bump, and isn't passed to the db, it will get the old one?09:55
pedronismborzecki: it depends what db is used, the db used for the create from current probably doesn't make sense for the remodel case10:23
mborzeckipedronis: yeah, that's the one that is used10:23
pedronismborzecki: there's probably a couple of ways to fix this, I'm having my lunch break. We can chat quickly after the standup?10:27
mborzeckipedronis: hm i think i can create one through WithStackedBackstore() ?10:27
mborzeckipedronis: sure, enjoy your lunch10:27
pedronismborzecki: yes, that's one of the possible options to fix this10:27
mardyzyga-mbp: nope, I haven't digged into snap-confine yet10:42
pstolowskipedronis: i've proposed refresh control spread test - https://github.com/snapcore/snapd/pull/10476 - as well as a simple bugfix in the prerequisite pr11:09
pedronispstolowski: thx,  I think I mentioned this already, but I reviewed the wait-chain PRs11:11
pstolowskipedronis: yes, thanks, i'm updating them right now11:11
pedronispstolowski: I'm starting something, I'll look at the simple fix in a bit11:13
pstolowskisure, ty11:17
mborzeckipedronis: opened a proposal: https://github.com/snapcore/snapd/pull/1047711:43
mardyI'm creating a snap using snap pack, and I want to run mount(8) in it. I copied its dependencies to the snap, properly set LD_LIBRARY_PATH, but I get a segfault inside libc when running it. Any idea on what I could be doing wrong?11:48
mborzeckipstolowski: can you take a look at https://github.com/snapcore/snapd/pull/10477 ? 11:52
pstolowskimborzecki: sure11:52
mborzeckimardy: snap run --strace or snap run --gdbserver11:52
mborzeckiunless the backtrace is already useful :)11:53
mvomardy: does it have to be "mount(8)" or could you simply use the mount binary? did you try to link statically?11:53
mborzeckitbh segfault is a bit unexpected, it'd expect it to fail gracefully11:54
mborzeckias in `cannot mount because reasons` & non 0 exit11:54
mardymborzecki: [pid 187371] mprotect(0x7f606bed1000, 4096, PROT_READ) = 011:58
mardy[pid 187371] mprotect(0x7f606c110000, 16384, PROT_READ) = 011:58
mardy[pid 187371] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xe} ---11:58
mardymvo: I was just being lazy and did not want to build a binary myself, so I wanted to use a shell script for testing11:58
mardyit's not only mount that it's segfaulting, also "grep" gets terminated in the same way11:59
mborzeckimardy: hmm looks like some callback through a function pointer in a structure, that address is very low12:00
mborzeckiprobably gdb would be more useful if you want to try it (and explote the tooling at the same time)12:00
pstolowskimborzecki: a simple one https://github.com/snapcore/snapd/pull/1046112:08
mborzeckipstolowski: sure12:09
mardymborzecki: nice! But it does not help much, I see the same 0xe address in the backtrace, and not much else:12:13
mardy#0  0x000000000000000e in ?? ()12:14
mardy#1  0x00007f7c9e180119 in ?? ()12:14
mardy#2  0x0000000000000000 in ?? ()12:14
mborzeckimardy: hm try running `set sysroot /snap/<your-base>/<revision>` and then `set solib-search-path /snap/<your-base>/<revision>/<usual lib dirs>`12:14
mborzeckipedronis: so you're saying this should be taken care of in the fetcher we pass to seedwriter?12:33
mardymborzecki: didn't help. I guess I'll have to drop "snap pack" and use snapcraft instead12:34
pedronismborzecki: I commented a bit more12:51
mborzeckipedronis: ah, ok, that is clear now12:52
pedronisdegville: this is the phrasing confusion issue I mentioned in the standup: https://github.com/snapcore/snapd/pull/10478/files#r66150685314:05
degvillepedronis: thanks. Taking a look now.14:06
pstolowskithanks14:10
mardyI moved to python now, and I'm getting another weirdness :-) If I print the python version by running the program directly (without snappy), I get: 3.8.5 (default, May 27 2021, 13:30:53)14:27
mardybut when I run the snap (just built with "snap pack"), I get 3.5.2 (default, Jan 26 2021, 13:30:48)14:27
pstolowskicachio__: can you take a look at https://github.com/snapcore/snapd/pull/10470 ?14:28
mardythere's no python inside the snap, so where is it finding version 3.5.2 from?14:28
cachio__pstolowski, sure14:29
pstolowskineed 2nd review for a simple bugfix: https://github.com/snapcore/snapd/pull/1047514:32
* cachio__ lunch15:28
mvopedronis: is 10449 something you want to have a final look over or are you okay with the reviews it has?16:18
mvopedronis: the "# snap-edit: no" header PR16:18
jdstrandI haven't read all backscroll, but note that the seccomp backend mediates mount and the device cgroup mediates a lot of what is in /dev (I say a lot because there is some interplay with apparmor, but apparmor relies on the device cgroup currently for hotpluggable things, etc to avoid a policy recomplile in the udev helper)17:17
jdstrandwe could choose to enable those backends on systems without apparmor. we've not historically since, as mentioned, things like dbus could allow breakout (eg, udisks)17:18
jdstrandsince we wouldn't want to make security claims, we've historically chosen to not enable all the available backends since that would complicate testing and support due to combinatorics17:20
jdstrand(all the available backends on non-strict systems like Fedora or Debian). That said, Debian should be getting close. talk to amurray (or jj) for status17:21
jdstrandwe did do it for tumbleweed. I can't recall if we did it anywhere else...17:22
jdstrandas for a snap helper to facilitate mounts, that seems quite reasonable, easy to mediate from within the helper and something that could be done on any kernel17:26
sergiusensjdstrand hey there! just to add to your list, Manjaro should also be using strict confinement these days17:40
sergiusensmardy your python 3.5.2 probably comes from the base snap (core I believe), set snap.yaml to base: core18|20 for a newer python :-)17:40
sergiusensmardy or run `python3 -c "import sys; print(sys.executable)"` to find out where python comes from :-)17:42
=== alan_g_ is now known as alan_g
jdstrandsergiusens: hi! oh yes, manjaro has been there for a while. there is a list that I did in the forum at some point22:48

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!