interfaces/builtin: add lsm self-attr syscall allowances

Add lsm_get_self_attr to interfaces that read AppArmor current labels
and add lsm_set_self_attr where AppArmor allows writing process
attr/exec.

Include seccomp coverage updates in tests for system-observe,
cups-control, docker-support, and kubernetes-support flavors.

No syscall addition for browser-support: it explicitly denies access to
/proc/.../attr/{,apparmor/}current.

No explicit syscall addition for lxd-support: its seccomp policy is
@unrestricted.

The k8s-support interface has both get and set per advice from John
Johansen.

Jira: https://warthogs.atlassian.net/browse/AA-1000
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>

Author: zyga

interfaces/builtin/cups_control.go

@@ -26,6 +26,7 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
+	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
@@ -117,6 +118,10 @@ dbus (receive)
     peer=(label=###SLOT_SECURITY_TAGS###),
 `
 
+const cupsControlPermanentSlotSecComp = `
+lsm_get_self_attr
+`
+
 type cupsControlInterface struct {
 	commonInterface
 }
@@ -167,6 +172,13 @@ func (iface *cupsControlInterface) AppArmorConnectedPlug(spec *apparmor.Specific
 	return nil
 }
 
+func (iface *cupsControlInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
+	if !implicitSystemPermanentSlot(slot) {
+		spec.AddSnippet(cupsControlPermanentSlotSecComp)
+	}
+	return nil
+}
+
 func (iface *cupsControlInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
 	cupsdConf := filepath.Join(dirs.GlobalRootDir, "/etc/cups/cupsd.conf")
 	_, hostSystemHasCupsd, _ := osutil.RegularFileExists(cupsdConf)

interfaces/builtin/cups_control_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
+	"github.com/snapcore/snapd/interfaces/seccomp"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -197,6 +198,38 @@ func (s *cupsControlSuite) TestAppArmorSpecClassic(c *C) {
 	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "peer=(label=\"snap.consumer.app\"")
 }
 
+func (s *cupsControlSuite) TestSecCompSpecCore(c *C) {
+	restore := release.MockOnClassic(false)
+	defer restore()
+
+	// core to consumer on core is empty for PermanentSlot
+	spec := seccomp.NewSpecification(s.coreSlot.AppSet())
+	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	// provider to consumer on core gets permanent slot seccomp policy
+	spec = seccomp.NewSpecification(s.providerSlot.AppSet())
+	c.Assert(spec.AddPermanentSlot(s.iface, s.providerSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.provider.app"})
+	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "lsm_get_self_attr\n")
+}
+
+func (s *cupsControlSuite) TestSecCompSpecClassic(c *C) {
+	restore := release.MockOnClassic(true)
+	defer restore()
+
+	// core to consumer on classic is empty for PermanentSlot
+	spec := seccomp.NewSpecification(s.coreSlot.AppSet())
+	c.Assert(spec.AddPermanentSlot(s.iface, s.coreSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), HasLen, 0)
+
+	// provider to consumer on classic gets permanent slot seccomp policy
+	spec = seccomp.NewSpecification(s.providerSlot.AppSet())
+	c.Assert(spec.AddPermanentSlot(s.iface, s.providerSlotInfo), IsNil)
+	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.provider.app"})
+	c.Assert(spec.SnippetForTag("snap.provider.app"), testutil.Contains, "lsm_get_self_attr\n")
+}
+
 func (s *cupsControlSuite) TestAutoConnect(c *C) {
 	tmpdir := c.MkDir()
 	dirs.SetRootDir(tmpdir)

interfaces/builtin/docker_support.go

@@ -312,6 +312,8 @@ keyctl
 # /snap/docker/VERSION/bin/docker-runc
 pivot_root
 
+lsm_set_self_attr
+
 # ptrace can be abused to break out of the seccomp sandbox
 # but is required by the Docker daemon.
 ptrace

interfaces/builtin/docker_support_test.go

@@ -239,6 +239,7 @@ func (s *DockerSupportInterfaceSuite) TestSecCompSpec(c *C) {
 	spec := seccomp.NewSpecification(appSet)
 	c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.slot), IsNil)
 	c.Check(spec.SnippetForTag("snap.docker.app"), testutil.Contains, "# Calls the Docker daemon itself requires\n")
+	c.Check(spec.SnippetForTag("snap.docker.app"), testutil.Contains, "lsm_set_self_attr\n")
 }
 
 func (s *DockerSupportInterfaceSuite) TestKModSpec(c *C) {

interfaces/builtin/kubernetes_support.go

@@ -252,6 +252,9 @@ mount
 umount
 umount2
 
+lsm_get_self_attr
+lsm_set_self_attr
+
 unshare
 setns - CLONE_NEWNET
 

interfaces/builtin/kubernetes_support_test.go

@@ -225,6 +225,7 @@ func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.default"})
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow running as the kubelet service\n")
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.default"), testutil.Contains, "lsm_get_self_attr\n")
 
 	// kubeproxy should have the autobind rules
 	spec = seccomp.NewSpecification(s.plugKubeproxy.AppSet())
@@ -233,6 +234,7 @@ func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubeproxy"})
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "# Allow running as the kubelet service\n")
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubeproxy"), Not(testutil.Contains), "lsm_get_self_attr\n")
 
 	// kubelet should have its rules and the autobind rules
 	spec = seccomp.NewSpecification(s.plugKubelet.AppSet())
@@ -241,6 +243,7 @@ func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kubelet"})
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow running as the kubelet service\n")
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kubelet"), testutil.Contains, "lsm_get_self_attr\n")
 
 	// kube-autobind-unix should have the autobind rules
 	spec = seccomp.NewSpecification(s.plugKubeAutobind.AppSet())
@@ -249,6 +252,7 @@ func (s *KubernetesSupportInterfaceSuite) TestSecCompConnectedPlug(c *C) {
 	c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.kubernetes-support.kube-autobind-unix"})
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "# Allow running as the kubelet service\n")
 	c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), testutil.Contains, "# Allow using the 'autobind' feature of bind() (eg, for journald).\n")
+	c.Check(spec.SnippetForTag("snap.kubernetes-support.kube-autobind-unix"), Not(testutil.Contains), "lsm_get_self_attr\n")
 }
 
 func (s *KubernetesSupportInterfaceSuite) TestUDevConnectedPlug(c *C) {

interfaces/builtin/system_observe.go

@@ -208,6 +208,8 @@ const systemObserveConnectedPlugSecComp = `
 # it gives privileged read access to all processes on the system and should
 # only be used with trusted apps.
 
+lsm_get_self_attr
+
 # ptrace can be used to break out of the seccomp sandbox, but ps requests
 # 'ptrace (trace)' from apparmor. 'ps' does not need the ptrace syscall though,
 # so we deny the ptrace here to make sure we are always safe. Note: may

interfaces/builtin/system_observe_test.go

@@ -103,6 +103,7 @@ func (s *SystemObserveInterfaceSuite) TestUsedSecuritySystems(c *C) {
 	err = seccompSpec.AddConnectedPlug(s.iface, s.plug, s.slot)
 	c.Assert(err, IsNil)
 	c.Assert(seccompSpec.SecurityTags(), DeepEquals, []string{"snap.other.app2"})
+	c.Check(seccompSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "lsm_get_self_attr\n")
 	c.Check(seccompSpec.SnippetForTag("snap.other.app2"), testutil.Contains, "ptrace\n")
 }