-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
c/snap-confine, i/udev, i/ifacetest: update snap-confine and snap-device-helper to understand component hook security tags #13775
c/snap-confine, i/udev, i/ifacetest: update snap-confine and snap-device-helper to understand component hook security tags #13775
Conversation
6c5ad3b
to
acc399d
Compare
shellcheck appears to be unhappy:
|
5e4f87d
to
236f2ea
Compare
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #13775 +/- ##
==========================================
- Coverage 78.72% 78.71% -0.02%
==========================================
Files 1053 1053
Lines 137711 138127 +416
==========================================
+ Hits 108419 108731 +312
- Misses 22494 22580 +86
- Partials 6798 6816 +18
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
c43b233
to
429cad9
Compare
035b839
to
c5d6971
Compare
eb91528
to
c9a9f92
Compare
73fa729
to
6cd4807
Compare
c3f7fdf
to
1582077
Compare
a7b0050
to
cb379d3
Compare
bcb8dbc
to
686b2f6
Compare
…to validate_as_snap_or_component_name
…to take in error details
…_validate Make sure it fails to validate component names with instance keys, test that we fail to validate a component name that matches against a wrong instance key.
57e087f
to
0bb442b
Compare
It looks like the inclusive naming check is picking up some of the snap-confine files that were changed. I think that we probably don't want to include a bunch of renames in this PR, but we don't have a way to skip that check right now. I could add a tag (and a check in the action for that tag) that would allow us to skip it if we want. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, some comments but mainly nitpicks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
char *prefix, size_t prefix_size, | ||
char *suffix, size_t suffix_size) | ||
{ | ||
if (string == NULL) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe those are too evident, but we may still want to add a couple of simple test cases for (string == NULL) and (prefix == NULL && suffix == NULL)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Done in fc05b1b.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one minor comment about some extra tests, but feel free to ignore it if you think they do not add much value.
I think it will be worth giving @alexmurray a chance to take a look at it before merging just to be sure I'm not overlooking anything
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check my comment on reverse_component_separator_encoding
. I left some nitpicks in othe places.
} | ||
if (n > SNAP_NAME_LEN) { | ||
err = sc_error_init(SC_SNAP_DOMAIN, err_code, | ||
"%s must be shorter than 40 characters", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use some preprocessor magic to inject SNAP_NAME_LEN as a value there, at compile time, with #SNAP_NAME_LEN. See https://gcc.gnu.org/onlinedocs/cpp/Stringizing.html
Alternatively just %d
and pass the limit as an argument.
* | ||
* For example: | ||
* snap+component => "snap" & "component" | ||
* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify that snap name and component name are copied into the given buffers.
* | ||
* The size of prefix must be large enough to hold the prefix part of the | ||
* string, and the size of suffix must be large enough to hold the suffix part | ||
* of the string. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about this and I kind of think that it's "probably" better to just use strdup
+strtok
instead.
No need to fuss around with buffers and handle them by hand. One allocation for all the needs for handling typical tag names. Each token can be replaced with \0
for a ready-to-use string.
// expression currently contains 9 capture groups, but we only care about these 3, | ||
// which unfortunately are not within the first 3 submatches, but rather group 1, | ||
// 2, and 7, so for completeness capture all the groups. | ||
enum { num_matches = 9 }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick, this should probably be just const int, enum feels not much like C.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using a const int
would result in this being a variable-length array, if you compile with -Wvla
, you'll see a warning.
Example:
phelps@arch ~/tmp> cat main.c
int main() {
const int size = 10;
int array[size];
return 0;
}
phelps@arch ~/tmp> gcc -Wvla -o main ./main.c
./main.c: In function ‘main’:
./main.c:3:5: warning: ISO C90 forbids variable length array ‘array’ [-Wvla]
3 | int array[size];
| ^~~
phelps@arch ~/tmp> cat other.c
int main() {
enum { size = 10 };
int array[size];
return 0;
}
phelps@arch ~/tmp> gcc -Wvla -o main ./other.c
Alfonso suggested the enum over a #define
, but I don't really have a strong opinion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIL
{ | ||
/* Don't even check overly long tags. */ | ||
if (strlen(security_tag) > SNAP_SECURITY_TAG_MAX_LEN) { | ||
return false; | ||
} | ||
const char *whitelist_re = | ||
"^snap\\.([a-z0-9](-?[a-z0-9])*(_[a-z0-9]{1,10})?)\\.([a-zA-Z0-9](-?[a-zA-Z0-9])*|hook\\.[a-z](-?[a-z0-9])*)$"; | ||
"^snap\\.([a-z0-9](-?[a-z0-9])*(_[a-z0-9]{1,10})?)(\\.[a-zA-Z0-9](-?[a-zA-Z0-9])*|(\\+([a-z0-9](-?[a-z0-9])*))?\\.hook\\.[a-z](-?[a-z0-9])*)$"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should clarify exactly what is the allowed pattern, as now there's a disagreement between snapd and snapcraft. Can you circle back to the spec and make sure it says what is allowed (digits).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I'll follow up on some string operations but this is okay.
This PR teaches
snap-confine
andsnap-device-helper
how to parse security tags that represent component hooks.An example of a security tag from a component hook would be:
snap.name+comp.hook.install
And one with an instance key:
snap.name_instance+comp.hook.install
Something important to note is how these are encoded as udev tags. Currently, when converting a security tag to a udev tag, we replace all
.
characters in the tag with_
characters because systemd limits udev tags to having only alphanumeric characters, with the addition of the characters-
and_
. Since security tags can now contain+
characters, those will be encoded as two consecutive
_
characters.For example:
This allows the conversion to maintain its reversibility.