From 55ddd45110097b4af5c7b09e5d9796026e24f9c9 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 5 Dec 2023 16:44:00 -0500 Subject: [PATCH 1/5] snapcraft: unsquashfs is in the base/core snap already Signed-off-by: Simon Deziel --- snapcraft.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index 615b96861..43ca1569e 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -1477,7 +1477,6 @@ parts: - bin/rsync - bin/setfacl - bin/sgdisk - - bin/unsquashfs - bin/xdelta3 - lib/*/libidn.so.* From d04a50828709a9ccf99ad64126390662eaa1b303 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 5 Dec 2023 16:44:36 -0500 Subject: [PATCH 2/5] snapcraft: vim-tiny is in the base/core snap already Signed-off-by: Simon Deziel --- snapcraft.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index 43ca1569e..10483b2da 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -1024,18 +1024,6 @@ parts: - bin/tar2sqfs - lib/libsquashfs.so* - vim: - plugin: nil - stage-packages: - - vim-common - - vim-tiny - organize: - usr/bin/: bin/ - usr/share/vim/vim*/debian.vim: etc/vimrc - prime: - - bin/vim.tiny - - etc/vimrc - virtiofsd: source: https://gitlab.com/virtio-fs/virtiofsd source-type: git @@ -1585,7 +1573,6 @@ parts: - sqlite - squashfs-tools-ng - swtpm - - vim - virtiofsd - xfs - xz From 8f18b6d8ca9f4e7bae7abe1505fcce03bf163f7e Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 6 Dec 2023 11:41:43 -0500 Subject: [PATCH 3/5] snapcraft/wrappers/editor: use vimrc from the base core Also add logic to both nano (builtin) and vim.tiny (from the base coreXX) to ignore any unreadable rc file. Signed-off-by: Simon Deziel --- snapcraft/wrappers/editor | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/snapcraft/wrappers/editor b/snapcraft/wrappers/editor index 3ffe37d72..97f1342b5 100755 --- a/snapcraft/wrappers/editor +++ b/snapcraft/wrappers/editor @@ -42,21 +42,30 @@ if [ -n "${EDIT_CMD}" ] && [ "${USERNS}" = 1 ]; then find_and_spawn "${EDIT_CMD}" "${EDIT_PATH_HOST}" fi +# If the editor's rcfile is not readable, ignore it. +EDIT_IGNORE_RC="" + # Default to built-in nano. if [ -z "${EDIT_CMD}" ]; then EDIT_CMD="nano" + [ -r "${SNAP}/etc/nanorc" ] || EDIT_IGNORE_RC="--ignorercfiles" fi # Setup for VIM. if [ "$EDIT_CMD" != "nano" ]; then - if [ -e "${SNAP_USER_COMMON}/.vimrc" ]; then - export VIMINIT="source ${SNAP_USER_COMMON}/.vimrc" - else - export VIMINIT="source ${SNAP}/etc/vimrc" + # Find the base use by the LXD snap. + for vimrc in "${SNAP_USER_COMMON}/.vimrc" "/snap/core22/current/etc/vim/vimrc"; do + [ -r "${vimrc}" ] || continue + export VIMINIT="source ${vimrc}" + done + + # Ignore vimrc if none was found to be readable. + if [ -z "${VIMINIT:-""}" ]; then + EDIT_IGNORE_RC="--clean" fi EDIT_CMD="vim.tiny" fi # Run the editor. -exec "${EDIT_CMD}" "${EDIT_PATH}" +exec "${EDIT_CMD}" ${EDIT_IGNORE_RC} "${EDIT_PATH}" From c30396a09a7179041a03a7089bf458299fafae1f Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 6 Dec 2023 13:03:29 -0500 Subject: [PATCH 4/5] snapcraft/wrappers/editor: simplify EDIT_PATH_HOST handling Signed-off-by: Simon Deziel --- snapcraft/wrappers/editor | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/snapcraft/wrappers/editor b/snapcraft/wrappers/editor index 97f1342b5..fa03b2f86 100755 --- a/snapcraft/wrappers/editor +++ b/snapcraft/wrappers/editor @@ -38,7 +38,8 @@ fi # Try running the editor through the host. if [ -n "${EDIT_CMD}" ] && [ "${USERNS}" = 1 ]; then exec 9< /tmp/ - EDIT_PATH_HOST="$(echo "${EDIT_PATH}" | sed "s#/tmp/#/proc/self/fd/9/#g")" + # Replace "/tmp/" prefix by exec'ed FD 9. + EDIT_PATH_HOST="/proc/self/fd/9/$(echo "${EDIT_PATH}" | cut -d/ -f2)" find_and_spawn "${EDIT_CMD}" "${EDIT_PATH_HOST}" fi From e1ef8068941270ae932115d7404710c0e392cd9a Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 6 Dec 2023 13:05:08 -0500 Subject: [PATCH 5/5] snapcraft/wrappers/editor: use restricted mode for builtin editor fallbacks While this is a weak security guard rail, it prevents the user from using the builtin editor to enter the snap's confined environment: ``` $ EDITOR=foo lxc config edit # causes the fallback to vim.tiny from core !bash # gives shell access inside the snap confined env ``` From the outside it would look like: ``` root 6784 0.3 1.6 1538936 16908 pts/0 Sl 18:09 0:00 \_ /snap/lxd/x1/bin/lxc config edit root 6808 0.1 0.4 6112 4448 pts/0 S 18:09 0:00 \_ vim.tiny /tmp/lxd_editor_3106750297.yaml root 6816 0.0 0.3 5044 3904 pts/0 S+ 18:09 0:00 \_ bash ``` With the restricted mode, vim would refuse to shell out with: > E145: Shell commands and some functionality not allowed in rvim Similarly with nano (make sure there is no nano in the host): ``` $ lxc config edit Ctrl-t + ps faux ``` In restricted mode, nano would refuse with: > [ This function is disabled in restricted mode ] Signed-off-by: Simon Deziel --- snapcraft/wrappers/editor | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/snapcraft/wrappers/editor b/snapcraft/wrappers/editor index fa03b2f86..aa30a4b44 100755 --- a/snapcraft/wrappers/editor +++ b/snapcraft/wrappers/editor @@ -45,10 +45,11 @@ fi # If the editor's rcfile is not readable, ignore it. EDIT_IGNORE_RC="" - +EDIT_RESTRICT="" # Default to built-in nano. if [ -z "${EDIT_CMD}" ]; then EDIT_CMD="nano" + EDIT_RESTRICT="--restricted" [ -r "${SNAP}/etc/nanorc" ] || EDIT_IGNORE_RC="--ignorercfiles" fi @@ -66,7 +67,8 @@ if [ "$EDIT_CMD" != "nano" ]; then fi EDIT_CMD="vim.tiny" + EDIT_RESTRICT="-Z" fi # Run the editor. -exec "${EDIT_CMD}" ${EDIT_IGNORE_RC} "${EDIT_PATH}" +exec "${EDIT_CMD}" ${EDIT_RESTRICT} ${EDIT_IGNORE_RC} "${EDIT_PATH}"