This came up again in IRC today, so thought I’d bring up a forum topic and my thoughts on the matter. Perhaps if we decide on a course of action, someone can implement something to make the situation better.
Summary of problem:
- snap-confine has network security policy denials because it is trying to do things in ~/snap because ~ is on NFS
- snaps have security policy denials for accessing anything in ~ (eg, $SNAP_USER_COMMON, $SNAP_USER_DATA or when plugging the ‘home’ interface and trying to access those files)
The bug describes a workaround for ‘1’. If people do that, ‘2’ only is a problem with snaps that don’t specify ‘network’ in their plugs.
If we want to do more than point people at the workaround, with current kernel limitations, we are pretty limited in what we can do. What we don’t want to do is simply allow networking everywhere for all users to accommodate the comparatively few NFS /home users. What we can do is detect if /home is NFS, and then unconditionally adjust snap-confine’s policy and (somehow) conditionally add policy for snaps to allow NFS (with audit logging for transparency).
The simplest way to achieve this is consider NFS /home as a global toggle. Specifically:
- change cmd/snap-confine/snap-confine.apparmor.in in the snapd sources to #include a file in /var/lib/snapd/somewhere that snapd will manage
- check if /home is NFS whenever security policy is generated/refreshed. If /home is not NFS, then generate policy as normal. Otherwise proceed to step 3
- update /var/lib/snapd/somewhere/home-nfs to contain rules needed for snap-confine to run with /home NFS, and reload the snap-confine policy
- create a HomeNFS snippet for apparmor and seccomp and if /home is on NFS, unconditionally add it to default apparmor profile and default seccomp
- write an INFO message to syslog that all policy is using NFS
Variations exist. Instead of runtime detection, make it a global configuration toggle. Eg, instead of ‘1’, use
snap config core set home-nfs=1 that the check in ‘2’ will look at.
- Of course adding the conditional NFS policy weakens the policy of snap-confine and the snaps, but with the above it is only done on systems that actually use /home NFS
- One issue with a global toggle is that users on a system with NFS /home whose home is not on NFS get the added policy unconditionally
- Related, there may be snaps that only the admin uses that don’t need the NFS policy but have it. It would be possible to make the NFS policy per-snap-opt-outtable rather than global.
- Another consideration is some systems will be configured where /home is not be on NFS but users need to access other files on the system that are on NFS (in these cases, snap-confine doesn’t need NFS policy, but snaps do).
Note that in more recent snapd’s, the workaround for snap-confine is quite brittle, since if the core snap is newer than the installed snapd, the profile for snap-confine from the core snap is used. This profile is on read-only media.