i/prompting{,requestrules}: merge rules which have identical lifespans #14757
Conversation
github-actions
bot
added
the
Needs Documentation -auto-
pedronis
added
the
Needs Samuele review
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #14757 +/- ##
==========================================
+ Coverage 78.20% 78.27% +0.06%
==========================================
Files 1151 1158 +7
Lines 151396 153291 +1895
==========================================
+ Hits 118402 119986 +1584
- Misses 25662 25914 +252
- Partials 7332 7391 +59
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
olivercalder
force-pushed
the
prompting-single-rule-per-path-pattern
branch
from
218da75 to
f3719b1
Compare
olivercalder
force-pushed
the
prompting-single-rule-per-path-pattern
branch
2 times, most recently
from
d962dbc to
d73422c
Compare
olivercalder
force-pushed
the
prompting-single-rule-per-path-pattern
branch
from
d73422c to
76cf4f3
Compare
github-actions
bot
removed
the
Needs Documentation -auto-
olivercalder
force-pushed
the
prompting-single-rule-per-path-pattern
branch
from
76cf4f3 to
44f8aaa
Compare
| } else if newID, exists := mergedRules[rule.ID]; exists { | ||
| data = map[string]string{ | ||
| "removed": "merged", | ||
| "merged-into": newID.String(), |
There was a problem hiding this comment.
is emitting this very valuable? the rule is not really fully going away
There was a problem hiding this comment.
The notice data as a whole, or the "merged-into" field? I think it is important include at least "removed": "merged", since the rule with the original ID no longer exists, and all that exists is now the ID of the rule into which it was merged.
Let's say rules with IDs A and B exist, and the client has retrieved these rule details from snapd. Then snapd restarts, and as part of re-loading the rules from disk, it merges rule B into rule A. The client needs to get a notice with "removed": "merged" for rule B (as opposed to just getting a notice with empty data for B), so that it knows it can drop rule B without first needing to retrieve rule details for B via a separate API request. Also including "merged-into" avoids a race condition if the notice that rule A has been updated has not yet been recorded: if the client sees that rule B has been merged but doesn't yet know into which other rule it was merged, it has to wait for the notice for rule A before it has the new merged rule contents, and even then, it has to manually check rule contents to know which rule the semantics formerly associated with rule B now belong. Including "merged-into": "A" lets the client know exactly what happened to rule B, and where to find the rule which now covers what B used to cover.
There was a problem hiding this comment.
is the client expected to keep rule IDs in its state longer (eg through persistence) than needed for the basic prompting interaction?
There was a problem hiding this comment.
The security center is the only current client for rule IDs, and it displays existing rules in a table and lets users inspect or delete them. So aside from initially loading rules or notice-driven updates, it's holding the current rule state and displaying it. It could query all rules every time it receives any notice, but I think we can provide better information than that using notice data.
|
Wed Jan 15 16:33:02 UTC 2025 No spread failures |
Signed-off-by: Oliver Calder <[email protected]>
Signed-off-by: Oliver Calder <[email protected]>
Signed-off-by: Oliver Calder <[email protected]>
…path pattern Signed-off-by: Oliver Calder <[email protected]>
…ging Signed-off-by: Oliver Calder <[email protected]>
… disk Signed-off-by: Oliver Calder <[email protected]>
…flicing merged rules Signed-off-by: Oliver Calder <[email protected]>
Signed-off-by: Oliver Calder <[email protected]>
Signed-off-by: Oliver Calder <[email protected]>
…supersedence Signed-off-by: Oliver Calder <[email protected]>
Co-authored-by: Maciej Borzecki <[email protected]>
…s bools Signed-off-by: Oliver Calder <[email protected]> Co-authored-by: Maciej Borzecki <[email protected]>
Signed-off-by: Oliver Calder <[email protected]> Co-authored-by: Maciej Borzecki <[email protected]>
Signed-off-by: Oliver Calder <[email protected]>
olivercalder
force-pushed
the
prompting-single-rule-per-path-pattern
branch
from
223d0be to
024d155
Compare
|
Rebased to pull in test fixes from master. |
…to snap-integrity-remove-pack * sespiros/snap-integrity-remove-pack: (86 commits) multiple: remove dm-verity support from snap pack asserts: snap integrity assertion (canonical#14870) overlord: cleanup some old edges i/builtin: make auditd-support grant seccomp setpriority (canonical#14940) tests: use quotation marks to support directories with spaces (canonical#14948) t/m/snap-service-install-mode: fix line being longer than expected interfaces/opengl: Enable parsing of nvidia driver information files (canonical#14893) i/b/fwupd: allow access to dell bios recovery (canonical#14920) tests: divide spread into fundamental/non-fundamental (canonical#14785) c/snap-bootstrap: refactor systemd-mount dm-verity/overlayfs options API (canonical#14790) o/snapstate: do not restart again for snapd along the undo path inside undoUnlinkCurrentSnap (canonical#14917) release: 2.67.1 tests: fix missing spread failures in PR comments (canonical#14931) i/prompting{,requestrules}: merge rules which have identical lifespans (canonical#14757) tests: skip apparmor-prompting-integration-tests in armhf (canonical#14919) cmd/snap-bootstrap: mount drivers tree if present (canonical#14522) i/p/patterns: disallow /./ and /../ in path patterns (canonical#14774) osutil/user: look up getent executable in known host directories (canonical#14792) overlord: wait for snapd restart after requesting by undo of 'link-snap' (canonical#14850) interfaces: update template with new syscalls (canonical#14861) ...
This PR is based on #14635.
When a rule is added or modified directly, or when a rule is created as a result of a prompt reply, merge it with any existing rule which has an identical path pattern. That way, a single rule represents the complete rule state for a given path pattern.
A good use case for this is if a user is prompted for
readaccess to/foo/bar, which they grant forever, resulting in a pseudo-rule likeallow read /foo/bar forever. If the user is then asked forwriteaccess to/foo/barand they reply withallow read,write /foo/bar forever, then instead of there coexisting the following rules:allow read /foo/bar foreverallow read,write /foo/bar foreverWe instead end up with a single "merged" rule for that path pattern, equal to the latter. This is simple enough, since the
readpart of the rule is identical.Things get a bit more interesting when we start varying the outcome and lifespan of the rules to be merged:
allow read,write /foo/bar timespan:5mand then saidallow read,execute /foo/bar forever, the resulting rule constraints would look like (in actual json):{ "path-pattern": "/foo/bar", "permissions": { "read": { "outcome": "allow", "lifespan": "forever" }, "write": { "outcome": "allow", "lifespan": "timespan", "expiration": "<timestamp-plus-5-minutes>" }, "execute": { "outcome": "allow", "lifespan": "forever" } }This work is tracked internally by https://warthogs.atlassian.net/browse/SNAPDENG-33373