snap-{seccomp,confine}: replace global seccomp filter with template
The global.bin seccomp filter was written before we had support for
explicit deny rules in snap-seccomp. With these rules we can replace
the hard to followup logic of the global filter and just make the
rules part of the standard seccomp template.
The global rules are best summarized in this comment:
```
struct scmp_arg_cmp no_tty_inject = {
/* We learned that existing programs make legitimate requests with all
* bits set in the more significant 32bit word of the 64 bit double
* word. While this kernel behavior remains suspect and presumably
* undesired it is unlikely to change for backwards compatibility
* reasons. As such we cannot block all requests with high-bits set.
*
* When faced with ioctl(fd, request); refuse to proceed when
* request&0xffffffff == TIOCSTI. This specific way to encode the
* filter has the following important properties:
*
* - it blocks ioctl(fd, TIOCSTI, ptr).
* - it also blocks ioctl(fd, (1UL<<32) | TIOCSTI, ptr).
* - it doesn't block ioctl(fd, (1UL<<32) | (request not equal to TIOCSTI), ptr); */
.arg = 1,
.op = SCMP_CMP_MASKED_EQ,
.datum_a = 0xffffffffUL,
.datum_b = TIOCSTI,
};
sc_err = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), sys_ioctl_nr, 1, no_tty_inject);
```
and the same for `TIOCLINUX`.
When a denylist was introduced in PR#12849 we reached the limits
of the API of libseccomp and some things are now hard to reason
about [1]. This is mostly because what we try to do does not
match the libseccomp API very well and a slightly different
approach is probably more aligned with it's design (see also
this libseccomp issue [2] that is related to our issue).
So this commit changes the approach and instead of trying to use
a single filter the work is split into two filters:
1. explicit allow list
2. explicit deny list
and then load both filters into the kernel. The way the kernel
works is that it selects the most restrictive action.
So in the case of PR#12849:
```
~ioctl - TIOCSTI
~ioctl - TIOCLINUX
ioctl
```
For `ioctl(TIOCLINUX)` the first allow filter would pass `ioctl`
but the second deny filter would correctly deny the TIOCLINUX.
The file format of the `snap.snap.app.bin` changes to `.bin2`
and includes a proper header that would allow us to extend more
easily in the future.
The exiting tests for negative filtering got also updated so that
the deny/allow is tested via different errno numbers to ensure that
the expected filter denies the access.
The `snap-seccomp` spread test now also runs on all ubuntu releases.
This work will also allow us to remove the `global.bin` seccomp
filter in a followup PR.
* many: add more tests and validation to --prefer install flag
* client/snap_op: add tests for prefer flag
* daemon/api_snaps: add input validation for prefer flag
* prefer flag cannot be used with unaliased flag
* prefer is supported only for install action
* prefer is not supported int multi-snap operations
* add tests
* o/snapstate: prevent implicilty setting unaliased flag when prefer flag is passed
* add tests
* spread: update parallel-install-auto-aliases to cover edge cases for --prefer
* check --prefer interaction with --unaliased implicit passing
* resolve conflicts after merging master
Signed-off-by: Zeyad Gouda <email address hidden>
* spread: fix comment typo in main/parallel-install-auto-aliases
Signed-off-by: Zeyad Gouda <email address hidden>
* daemon: update flags conflict error message to be consistent
Signed-off-by: Zeyad Gouda <email address hidden>
* many: adjust help texts and move Prefer closer to Unaliased in structs
Signed-off-by: Zeyad Gouda <email address hidden>
* daemon/api_snaps_test: update TestPostSnapPreferWrongAction to match updated error message
arch: fix incorrect architecture name in `arch.Endian()` (#13036)
The go and Debian/Ubuntu architecture names are extremly close and
there was a typo in one of them (i386->386). In addition to fixing
the typo this commit also includes a list of known architectures
from the go source directly to ensure this change is correct.
There is no exported list of available architectures so it had to
be copied. There is `go tool dist list` which will list all
supported combinations of os/arch but the downside of using this
is that when architecture support gets dropped in the future the
test would start failing for no good reason.
tests/core20-auto-remove-user: do retries for set-ntp
The "sudo timedatectl set-ntp false" command some times fails with
message:
Failed to set ntp: Connection timed out
Apparently because it takes a bit of time to start
org.freedesktop.timedate1 and then stop systemd-timedated, as trying
again fixes the issue. Do some retries to prevent random failures of
this spread test.
arch: add new `arch.Endian()` helper and use it in seccomp (#13028)
* arch: add new `arch.Endian()` helper and use it in seccomp
Go has no good way to get the native endianness of a system.
However for certain use-cases (like seccomp) this is quite
important. We already have a (hackish) `isBigEndian()` helper
in our code. However this will also be needed in snap-seccomp
for PR#13014 this will also be needed so moving the helper
to the `arch` package seems to be prudent.
* arch: fix usage of runtimeGOARCH
Co-authored-by: Miguel Pires <email address hidden>
---------
Co-authored-by: Miguel Pires <email address hidden>
* Squashed 'tests/lib/external/snapd-testing-tools/' changes from 1c8efb77e1..8013c30c2a
8013c30c2a Remove support for ubuntu 22.10
b32b80bf54 Fix remote.rait-for test in bionic
5675c625e9 Enable fedora 38
55f4471957 Support for new oss
f2e88b357c New tool used to query spread json reports
cacd35ede0 utils/spread-shellcheck: explain disabled warnings (#42)
c82afb2dee Support --no-install-recommends parameter when installing dependencies with tests.pkgs
b84eea92e2 spread-shellcheck: fix quotes in environment variables (#41)
ab1e51c29f New comparison in os-query for core systems (#40)
e5ae22a5d4 systemd units can be overwritten
63540b845a Fix error messages in remote pull and push
75e8a426a5 make sure the unit is removed in tests.systemd test
9089ff5c02 Update tests to use the new tests.systemd stop-unit
44ecd5e56a Move tests.systemd stop-units to stop-unit
01a2a83b4b Update tests.systemd to have stop units as systemd.sh
162e93bd35 update tests.systemd CLI options to be the same than retry command
14aa43a405 new feature to re-run failed spread tests (#39)
604cb782db Fix shellcheck in systemd tool
bfc71082c8 Update the tests.systemd to allow parameters waiting for service status
8a2d0a99df Adding quiet tool and removing set +-x from tests.pkgs
d90935d2a4 A comment explaining about the default values for wait-for
3232c5dba7 Add support for ubuntu 23.04
a7164fba07 remove fedora 35 support, add fedora 37 support
89b9eb5301 Update systems supported
92bb6a0664 Include snap-sufix in the snaps.name tool
