*** This bug is a duplicate of bug 796588 ***
https://bugs.launchpad.net/bugs/796588
Thank you for reporting a bug. At the moment there is a known and
documented gap in our network mediation that we are working to address.
>From the security whitepaper[1]:
"Traditional permissions
The Linux kernel enforces Discretionary Access Controls (DAC) via
traditional UNIX ‘owner’ permissions as well as Linux kernel
capabilities and the Ubuntu Core base system uses these permissions
extensively. For app snaps on Ubuntu Core 16, services run as root and
therefore traditional permissions alone do not play as important of a
role in the confinement of services. Future versions of Ubuntu Core will
allow snaps to optionally request snap-specific, non-root users and
groups for services."
In general DAC is not a primary mechanism for isolation in snappy at
this time and we rely on other isolation mechanisms. We want to support
opt-in uid/gid for snaps that need it (ie, to support privilege
dropping) but note that separate uid/gids will not be required so we'll
need more complete isolation for networking. From the whitepaper:
"Network interfaces
Ubuntu Core 16 does not currently support fine-grained network mediation
(eg, for per-snap access to IPv4 and IPv6 TCP and UDP ports) and snaps
specifying the ‘network-bind’ interface and providing network services
are reachable by other snaps on the host (provided the connecting snap
uses the client ‘network’ interface) and over the internet."
Adding fine-grained mediation for networking is planned (see bug
#796588) and once it is implemented we will be able to assign ports to
snaps.
As for SO_REUSEPORT, the man page states:
"SO_REUSEPORT (since Linux 3.9)
Permits multiple AF_INET or AF_INET6 sockets to be bound to an
identical socket address. This option must be set on each
socket (including the first socket) prior to calling bind(2)
on the socket. To prevent port hijacking, all of the
processes binding to the same address must have the same
effective UID. This option can be employed with both TCP and
UDP sockets
"
As you pointed out, if a snap uses SO_REUSEPORT, then another snap could
reuse the port, but there is a safeguard there in that it won't work if
bind() has been called already which makes the attack racy. Of course,
we don't ever want the attack to work, which is one of many reasons why
we are implementing fine-grained network mediation.
Based on the above, I'm going to mark this a duplicate for bug #796588.
Thank you for taking a critical look at the security of snappy and
filing a bug. :)
[1]https://developer.ubuntu.com/en/snappy/guides/security-whitepaper/
** Information type changed from Private Security to Public
** This bug has been marked a duplicate of bug 796588
Fine-grained network mediation
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1607269
Title:
Snap daemons run as same user, removing some security restrictions
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1607269/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
