On Mon, 2018-08-06 at 23:23 +0100, John Lenton wrote: > On Mon, 6 Aug 2018 at 22:53, Steve Langasek <steve.langa...@ubuntu.co > m> wrote: > > > > Thanks, that's a useful data point. Do you think it is a practical > > concern > > for snaps if an Ubuntu rootfs uses fscaps? Is this an argument > > against > > allowing fscaps in Ubuntu, or should it just be a matter for > > snapcraft to > > warn/error about on creation, guiding users to using setuid > > instead? > > > > As a worked example: the core snap does ship /bin/ping, which is > > currently > > setuid-root in Ubuntu but would move to fscaps in this > > proposal. (The core > > snap does not include mtr-tiny.) What do you believe is the > > correct outcome > > here for /bin/ping in a future ubuntu core 20 snap? > > Given that fine-grained fscaps are better than blanket setuids, I > expect core 20 to embrace them wholeheartedly. > However, getting there will involve the whole > snapcraft/snapd/review-tools/snapstore stacks for at least a little > bit of work. > > We need to sit down and decide what shape that support is going to > take (basically: can everybody have xattrs & fscaps, or is it just > base snaps? any base snap, or only core? policy decisions, involving > security). I don't expect it to be controversial, unless we want to > enable a snapped application to use fscaps. > FYI, I don't think we should blindly allow fscaps for 'app' snaps since this is a huge can of worms. *But* we can and in fact already do allow fscaps (and setuid, setgid, non-root uids, etc, etc) in the privileged base and os snaps.
> We need to do a bit of research _today_, because already 16.04 has > tools that rely on fscaps: this conversation has had me notice that > systemd-detect-virt, that we ship in core and use from snapd in a > couple of places (and in particular to check whether we need to use > squashfuse) is using caps instead of setuid, meaning that in core for > a regular user it probably won't work properly. So we'll need to look > into exactly how it's being used; I _think_ we're testing them as > root, and only expect to be using them as root, but we'll have to > chase it down. I suspect if you built the core snap without -no-xattrs, it would work. It might not, but IMO that would be a bug (I certainly would expect them to in os and base snaps). -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
