Merge lp:~jdstrand/snap-confine/security-review-fixes into lp:~snappy-dev/snap-confine/trunk
Status: | Merged |
---|---|
Merged at revision: | 110 |
Proposed branch: | lp:~jdstrand/snap-confine/security-review-fixes |
Merge into: | lp:~snappy-dev/snap-confine/trunk |
Diff against target: |
492 lines (+150/-110) 8 files modified
debian/changelog (+3/-0) src/main.c (+25/-25) src/seccomp.c (+46/-33) src/utils.c (+2/-1) tests/test_bad_seccomp_filter_length (+20/-0) tests/test_bad_seccomp_filter_missing_trailing_newline (+17/-0) tests/test_create_user_data (+7/-51) tests/test_unrestricted_missed (+30/-0) |
To merge this branch: | bzr merge lp:~jdstrand/snap-confine/security-review-fixes |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Tyler Hicks (community) | Needs Fixing | ||
Snappy Developers | Pending | ||
Review via email: mp+290156@code.launchpad.net |
Description of the change
Various fixes to address Seth's feedback:
- cleaned up 'out' handling and die instead
- fixed the typo
- verify snprint() >= 512 (I increased this length) and added tests
- add test for filter missing trailing newline (I didn't change the line-too-long handling, but did add tests and verify we must end with trailing newline
- use strcmp() with "@unrestricted". add @unrestricted near miss tests
- use getresuid() instead of UBUNTU_
- replace getenv() with secure_getenv() everywhere we can
- check return code of fork()
- verify return code of fclose()
- simplified final execv()
In addition:
- don't support obsoleted SNAP_APP_TMPDIR and SNAP_APP_
- use uid_t and gid_t instead of unsigned
- check return codes of other (f)close()s to help futureproof
I've completed a partial review. I still haven't gotten through all of the seccomp and test related changes. I'll complete that later this afternoon.