i/builtin: support desktop-file-ids in desktop files rule generation

[ZeyadYasser]

This PR adds support for desktop-file-ids for apparmor rules generated when the desktop-legacy and unity7 interfaces are connected because they provide the ability for the snap to access it own desktop files.

This adds a bit of complexity due to the deny rules that needs to be generated to suppress warnings. GenerateAAREExclusionPatterns is used with care to generate the deny rules for multiple patterns.

Now, since the rules generated depend on the snap content itself, more aggressive validation and sanitization is required:

• Sanitized desktop file names during mangling so they can only contain [A-Za-z0-9-_.] so they can't contain special AARE characters
  • Kept desktop-file-ids as is without sanitization because they should already be validated during install
• Added aggressive validation when generating desktop rules (for unity7 and desktop-legacy) that non of the names used in rule generation contain any special AARE characters.
• Used defensive approach in rule generation
  • where allow rules doesn't depend on desktop files found in the snap but instead depends on the desktop prefix and desktop file ids.
  • and deny rules depend desktop file names inside the snap mount, so if a snap somehow escaped all this validation, it can only shoot itself in the foot and deny itself more things

Any single one of the methods used above should have been enough, but since this is generating apparmor rules from user input basically it is better to play it safe here.

Please be as skeptical as possible when reviewing and let me know if you found an edge case that could break the rule generation.

[ZeyadYasser]

I just realized that incoming desktop file names must be sanitized before passing to GenerateAAREExclusionPatterns to avoid snaps shipping with desktop file names that contain AARE globbing expressions.

[ZeyadYasser]

I just realized that incoming desktop file names must be sanitized before passing to GenerateAAREExclusionPatterns to avoid snaps shipping with desktop file names that contain AARE globbing expressions.

I fixed this in multiple ways, each adding a layer of protection on its own:

• Sanitized desktop file names during mangling so they can only contain [A-Za-z0-9-_.] so they can't contain special AARE characters
  • Kept desktop-file-ids as is without sanitization because they should already be validated during install
• Added aggressive validation when generating desktop rules (for unity7 and desktop-legacy) that non of the names used in rule generation contain any special AARE characters.
• Switched to defensive approach in rule generation
  • where allow rules doesn't depend on desktop files found in the snap but instead depends on the desktop prefix and desktop file ids.
  • and deny rules depend desktop file names inside the snap mount, so if a snap somehow escaped all this validation, it can only shoot itself in the foot and deny itself more things

[bboozzoo]

also why not fail and let AppArmorConnectedPlug return an error?

[ZeyadYasser]

Good point, Since desktop-file-ids is a new concept, I believe we can just fail. but for existing prefixed desktop files we could break some snaps but it would be very rare. A snap with weird desktop file names + unity7/desktop-legacy plugs.

CC: @pedronis @jhenstridge

[bboozzoo]

wonder if this should perhaps be done in snap.Validate()

[ZeyadYasser]

Ideally, Yes. But we don't know if there are snaps already in the store with desktop files with undesired names. adding the check in snap.Validate() could break existing installs (but maybe for such snaps, we should?).

[pedronis]

don't we do any validation on the ids? I'm sure there are some checks that we can do just based on dbus rules, no?

[ZeyadYasser]

We do validation in the desktop interface's BeforePreparePlug

snapd/interfaces/builtin/desktop.go

Lines 623 to 633 in b605298

	// https://specifications.freedesktop.org/desktop-entry-spec/latest/file-naming.html
	// Desktop file id must be a valid D-Bus name:
	// - A sequence of non-empty elements separated by dots
	// - None of which starts with a digit
	// - Each of which contains only characters from the set [A-Za-z0-9-_]
	//
	// XXX: dashes "-" are not recommended but supported, should they be removed?
	// https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names
	var desktopFileIDRegexp = regexp.MustCompile(`^([A-Za-z_-][\w-]*)(\.[A-Za-z_-][\w-]*)*$`)
	func (iface *desktopInterface) validateDesktopFileIDs(attribs interfaces.Attrer) error {

[ZeyadYasser]

I added the check here to avoid depending on other parts working as expected and having the checks validate input standalone without any assumptions.

[alexmurray]

I would prefer this is done in snap.Validate() since any existing snaps should be updated. However, if we are concerned about breaking things too much, we should ensure that review-tools implements similar validation logic for desktop-file-ids so we can avoid snaps being uploaded with anything that might try and abuse this (also recall this needs a snap declaration as well which adds additional protection too).

[ZeyadYasser]

No snaps on the store currently should have desktop-file-ids yet, I think we could add a check for them in snap.Validate() and fail hard there during install/pack. I was confused at first and thought this was for existing desktop file names as well.

[ZeyadYasser]

I got confused a bit, I don't think we can this check to snap.Validate(). As Samuele mentioned the bad plug will not be there to validate since the snap plugs and slots are sanitized before getting validated so when we reach snap.Validate a bad desktop-file-ids attribute won't be there.

snapd/snap/info_snap_yaml.go

Lines 241 to 242 in 848d437

	snap.BadInterfaces = make(map[string]string)
	SanitizePlugsSlots(snap)

I don't see a clean way of force validating desktop-file-ids because they are sanitized (and disappear if bad) just before validation. Only thing left of them is an error message under info.BadInterfaces that is shown when running snap pack --check-skeleton.

$ snap pack --check-skeleton squashfs-root build
snap "hello" has bad plugs or slots: desktop (desktop-file-ids entry "org.he&&llo.Example" is not a valid D-Bus well-known name)

Maybe I am confused about what is required here, but I think adding validation on the container level snap.validateContainer() for desktop file names on pack/build as @bboozzoo suggested #14444 (comment) is a great idea + checks from review tools to prevent new revision with weird desktop file names.

[bboozzoo]

So it looks like an error here is unexpected and we should return early rather than simply ignore it. snap pack --check-skeleton raises an error with bad plugs/slots, but actual pack does not, which I think was intentional.

[ZeyadYasser]

I updated that part to return and error instead of doing the fallback as this indicates something dangerous that the early validation and sanitization was bypassed by the snap.

[bboozzoo]

snap.Validate() is also used when packing a snap, maybe it'd be useful to issue a warning if the there's anything wrong with the desktop files.

Hm I don't recall why we don't do any sanity checks of desktop files in validation code, and rather let them fail during install.

[ZeyadYasser]

Yes, I agree. A warning there wouldn't break existing snaps.

Hm I don't recall why we don't do any sanity checks of desktop files in validation code, and rather let them fail during install.

No idea, I recently landed changes there to validate their file types, but there weren't any other validations. I think without epochs we cannot do better on the container validation side.

[bboozzoo]

A followup material, but we could look into tweaking snap.Validate() interface to pass additional parameter describing the scenario in which it is invoked, and in case of pack/build-time validation fail hard on some new checks we introduce.

[alexmurray]

A followup material, but we could look into tweaking snap.Validate() interface to pass additional parameter describing the scenario in which it is invoked, and in case of pack/build-time validation fail hard on some new checks we introduce.

This sounds like a great idea.

And we should also extend review-tools to implement similar checks against desktop file names etc.

[ZeyadYasser]

Filed a ticket to track this idea https://warthogs.atlassian.net/browse/SNAPDENG-32333

[ZeyadYasser]

I just have one comment, I think the desktop file names check should be on the container level, so I think snap.validateContainer() would be more appropriate to add the additional scenario parameter.

[zyga]

One question. I'll re-review this later today.

[zyga]

I wish there was a way to comment on the file name in GitHub. This is such a nice name :)

[zyga]

Why do we switch to the fallback in this case?

[ZeyadYasser]

This is to be consistent with the original implementation, which didn't care about existing desktop files.

snapd/interfaces/builtin/utils.go

Lines 116 to 136 in f3d0682

	func getDesktopFileRules(snapInstanceName string) []string {
	baseDir := dirs.SnapDesktopFilesDir
	rules := []string{
	"# Support applications which use the unity messaging menu, xdg-mime, etc",
	"# This leaks the names of snaps with desktop files",
	fmt.Sprintf("%s/ r,", baseDir),
	"# Allowing reading only our desktop files (required by (at least) the unity",
	"# messaging menu).",
	"# parallel-installs: this leaks read access to desktop files owned by keyed",
	"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap",
	fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", baseDir),
	"# Explicitly deny access to other snap's desktop files",
	fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", baseDir),
	}
	for _, t := range aareExclusivePatterns(snapInstanceName) {
	rules = append(rules, fmt.Sprintf("deny %s/%s r,", baseDir, t))
	}
	return rules
	}

I know a snap depending on the undocumented behavior that unity7 and desktop-legacy gives it access to list desktop files should not be supported, but who knows what snap will break if that changes?

[pedronis]

I did a quick first pass, seems ok. One remark about the already landed helper and one about desktop-ids validation

[pedronis]

don't we do any validation on the ids? I'm sure there are some checks that we can do just based on dbus rules, no?

[pedronis]

I think my point is if we prefer not to error here ok, but this message should make clear that this situation is an internal error, as the desktop-ids shouldn't have made this far

[ZeyadYasser]

Updated, and also updated the tests to check that errors are logged properly

[pedronis]

I'm not sure this one and the one below are internal errors though, do we check desktop file names somewhere else?

[ZeyadYasser]

Good point, the snap mount could have been unmounted due to external reasoning which would cause failure. Updated.

Regarding the ones below:

• internal error: invalid desktop file name %q found in snap %q which should have been validated earlier
  • My reasoning here was that if we got so far and also got a bad desktop file name then snapd have been tricked somehow by the snap either when validating desktop file ids or when sanitizing the desktop file names during install/refresh.
• internal error: failed to generate deny rules for snap %q: %v
  • My reasoning here was that there is a case we didn't account for that breaks deny rules generation

[pedronis]

thanks, lgtm, please iterate on this further with other reviewers as needed

[bboozzoo]

looks quite good

[bboozzoo]

A followup material, but we could look into tweaking snap.Validate() interface to pass additional parameter describing the scenario in which it is invoked, and in case of pack/build-time validation fail hard on some new checks we introduce.

[bboozzoo]

maybe this could use strings.Builder as well now. Not essential, but give it a try locally, and if the changes look good maybe it's worth pushing.

[ZeyadYasser]

Is this what you had in mind?

diff --git a/interfaces/builtin/utils.go b/interfaces/builtin/utils.go
index 026f7668f5..2475d2f7f1 100644
--- a/interfaces/builtin/utils.go
+++ b/interfaces/builtin/utils.go
@@ -109,26 +109,18 @@ var desktopFilesFromInstalledSnap = func(s *snap.Info) ([]string, error) {
 //
 // The snap must be mounted.
 func getDesktopFileRules(s *snap.Info) string {
-       const template = `
-# Support applications which use the unity messaging menu, xdg-mime, etc
-# This leaks the names of snaps with desktop files
-%s/ r,
+       var b strings.Builder
 
-# Allow rules:
-%s
-
-# Deny rules:
-%s
-`
+       b.WriteString("# Support applications which use the unity messaging menu, xdg-mime, etc\n")
+       b.WriteString("# This leaks the names of snaps with desktop files\n")
+       b.WriteString(fmt.Sprintf("%s/ r,\n", dirs.SnapDesktopFilesDir))
 
        // Generate allow rules
-       allowRules := `
-# Allowing reading only our desktop files (required by (at least) the unity
-# messaging menu).
-# parallel-installs: this leaks read access to desktop files owned by keyed
-# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
-`
-       allowRules += fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,\n", dirs.SnapDesktopFilesDir)
+       b.WriteString("# Allowing reading only our desktop files (required by (at least) the unity\n")
+       b.WriteString("# messaging menu).\n")
+       b.WriteString("# parallel-installs: this leaks read access to desktop files owned by keyed\n")
+       b.WriteString("# instances of @{SNAP_NAME} to @{SNAP_NAME} snap\n")
+       b.WriteString(fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,\n", dirs.SnapDesktopFilesDir))
        // For allow rules let's be more defensive and not depend on desktop files
        // shipped by the snap like what is done below in the deny rules so that if
        // a snap figured out a way to trick the checks below it can only shoot
@@ -149,11 +141,11 @@ func getDesktopFileRules(s *snap.Info) string {
                        logger.Noticef("internal error: invalid desktop file ID %q found in snap %q: %v", desktopFileID, s.InstanceName(), err)
                        return getDesktopFileRulesFallback()
                }
-               allowRules += fmt.Sprintf("%s/%s r,\n", dirs.SnapDesktopFilesDir, desktopFileID+".desktop")
+               b.WriteString(fmt.Sprintf("%s/%s r,\n", dirs.SnapDesktopFilesDir, desktopFileID+".desktop"))
        }
 
        // Generate deny rules to suppress apparmor warnings
-       denyRules := "# Explicitly deny access to other snap's desktop files\n"
+       b.WriteString("# Explicitly deny access to other snap's desktop files\n")
        desktopFiles, err := desktopFilesFromInstalledSnap(s)
        if err != nil {
                logger.Noticef("failed to collect desktop files from snap %q: %v", s.InstanceName(), err)
@@ -188,9 +180,9 @@ func getDesktopFileRules(s *snap.Info) string {
                logger.Noticef("internal error: failed to generate deny rules for snap %q: %v", s.InstanceName(), err)
                return getDesktopFileRulesFallback()
        }
-       denyRules += excludeRules
+       b.WriteString(excludeRules)
 
-       return fmt.Sprintf(template, dirs.SnapDesktopFilesDir, allowRules[1:], denyRules)
+       return b.String()
 }
 
 // stringListAttribute returns a list of strings for the given attribute key if the attribute exists.

[bboozzoo]

more less, builder implements Writer, so you can use fmt.Fprintf(&b, ...) where appropriate

[ZeyadYasser]

updated

[alexmurray]

In general this looks quite good - I really like the defence in depth approach and multiple levels of validation. However, I would prefer the validation is done in snap.Validate() to fail-hard earlier to avoid any chance of possible abuse, but will leave this decision up to @pedronis - from a security point of view, this looks really good.

I have also filed a bug for review-tools as well to make sure we implement similar logic there https://bugs.launchpad.net/review-tools/+bug/2081240.

[alexmurray]

I would prefer this is done in snap.Validate() since any existing snaps should be updated. However, if we are concerned about breaking things too much, we should ensure that review-tools implements similar validation logic for desktop-file-ids so we can avoid snaps being uploaded with anything that might try and abuse this (also recall this needs a snap declaration as well which adds additional protection too).

[alexmurray]

A followup material, but we could look into tweaking snap.Validate() interface to pass additional parameter describing the scenario in which it is invoked, and in case of pack/build-time validation fail hard on some new checks we introduce.

This sounds like a great idea.

And we should also extend review-tools to implement similar checks against desktop file names etc.

[codecov]

Codecov Report

Attention: Patch coverage is 93.96552% with 7 lines in your changes missing coverage. Please review.

Project coverage is 78.86%. Comparing base (3492595) to head (93d2e69).
Report is 193 commits behind head on master.

Files with missing lines	Patch %	Lines
interfaces/builtin/utils.go	95.29%	3 Missing and 1 partial ⚠️
wrappers/desktop.go	40.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14444      +/-   ##
==========================================
+ Coverage   78.77%   78.86%   +0.09%     
==========================================
  Files        1073     1079       +6     
  Lines      143693   145697    +2004     
==========================================
+ Hits       113191   114910    +1719     
- Misses      23401    23601     +200     
- Partials     7101     7186      +85     

Flag	Coverage Δ
unittests	78.86% <93.96%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bboozzoo]

LGTM

[ZeyadYasser]

Failing tests are known to fail:

• google-distro-1:debian-sid-64:tests/main/snap-run
• openstack:fedora-40-64:tests/main/selinux-clean