Use AmbientCapabilities on non-core16 systems

fs caps dont work on newer bases because all mounted fs are no setuid,
which also means no setcap, so the current implementation doesnt work.
This also add setpriv to the dependencies, which is already staged on
core!=18, but still putting it there so that if it gets removed we have
it

Author: Hook25

checkbox-core-snap/series18/snap/snapcraft.yaml

@@ -198,6 +198,7 @@ parts:
       - zlib1g-dev
       - build-essential
     stage-packages:
+      - setpriv # used to downgrade AmbientCapabilities of systemd-based runner
       - python3-markupsafe
       - python3-jinja2
       - python3-packaging

checkbox-core-snap/series20/snap/snapcraft.yaml

@@ -206,6 +206,7 @@ parts:
       - zlib1g-dev
       - build-essential
     stage-packages:
+      - setpriv # used to downgrade AmbientCapabilities of systemd-based runner
       - python3-markupsafe
       - python3-jinja2
       - python3-packaging

checkbox-core-snap/series22/snap/snapcraft.yaml

@@ -213,6 +213,7 @@ parts:
       - zlib1g-dev
       - build-essential
     stage-packages:
+      - setpriv # used to downgrade AmbientCapabilities of systemd-based runner
       - python3-markupsafe
       - python3-jinja2
       - python3-packaging

checkbox-core-snap/series24/snap/snapcraft.yaml

@@ -154,6 +154,7 @@ parts:
     source: checkbox-support
     source-type: local
     stage-packages:
+      - setpriv # used to downgrade AmbientCapabilities of systemd-based runner
       # actual requirements
       - python3-bluez
       - python3-pyparsing

checkbox-ng/plainbox/impl/execution.py

@@ -43,7 +43,11 @@
 from plainbox.i18n import gettext as _
 from plainbox.impl.color import Colorizer
 from plainbox.impl.unit.job import supported_plugins
-from plainbox.impl.unit.unit import on_ubuntucore
+from plainbox.impl.unit.unit import (
+    on_ubuntucore,
+    get_snap_base,
+    get_checkbox_runtime_path,
+)
 from plainbox.impl.result import (
     IOLogRecordWriter,
     JobResultBuilder,
@@ -777,14 +781,14 @@ def dangerous_nsenter(path):
         return
     try:
         # here recover setcap and nsenter binaries path outside the sandbox
-        setcap_path = check_output(
-            get_plz_run(["bash", "-c", "which setcap"]),
-            universal_newlines=True,
-        ).strip()
-        nsenter_path = check_output(
-            get_plz_run(["bash", "-c", "which nsenter"]),
-            universal_newlines=True,
-        ).strip()
+        runtime_path = get_checkbox_runtime_path()
+        runtime_nsenter = runtime_path / "usr" / "bin" / "nsenter"
+        # Note: this path only works on core<24, on core24+ this is in
+        #       /usr/sbin but this code should only work on core16, so this is
+        #       fine
+        runtime_setcap = runtime_path / "sbin" / "setcap"
+        setcap_path = str(runtime_setcap)
+        nsenter_path = str(runtime_nsenter)
         check_call(get_plz_run(["cp", nsenter_path, path]))
         check_call(
             get_plz_run(
@@ -840,30 +844,60 @@ def get_execution_command_systemd_unit(
     # DONT use SNAP_COMMON (not writable by normal user)
     # DONT use SNAP_USER_COMMON (not writable by normal user if running as root)
     shared_location = "/var/tmp"
-    if on_ubuntucore():
-        if target_user != "root":
+    core_snap = on_ubuntucore()
+    # when in a core snap, we need the snap mount namespace to use anything
+    # that was shared via a content interface
+    if core_snap:
+        snap_base = get_snap_base()
+        if target_user != "root" and snap_base == "core16":
             # here we need a dangerous copy of nsenter that works as "normal"
             # user because the unit will be normal user and else it wont be
-            # able to mount the snap namespace
+            # able to mount the snap namespace. This only on core16 because
+            # other distros support setting AmbientCapabilities via dbus API
+            # making that a better, more secure alternative
             with tempfile.NamedTemporaryFile(
                 mode="w", delete=False, prefix="nsenter_", dir=shared_location
             ) as f:
                 dangerous_nsenter_path = f.name
+        elif target_user != "root":
+            # on core > 16 we can set AmbientCapabilities without using fs caps
+            # These are the capabilities needed to mount the namespace
+            # from linux/capability.h
+            # uint64(1 << 21| 1<<18 | 1<<6 | 1<<7))}
+            CAP_SETGID = 6  # necessary for setpriv
+            CAP_SETUID = 7  # necessary for setpriv
+            CAP_SYS_CHROOT = 18  # necessary for nsenter
+            CAP_SYS_ADMIN = 21  # necessary for nsenter
+            ambient_capabilities_bitset = (
+                1 << CAP_SETGID
+                | 1 << CAP_SETUID
+                | 1 << CAP_SYS_CHROOT
+                | 1 << CAP_SYS_ADMIN
+            )
+            wrapper_cmd += [
+                "-ambient-capabilities",
+                str(ambient_capabilities_bitset),
+            ]
+        # these binaries are not reliably shipped / may not be in path
+        runtime_path = get_checkbox_runtime_path()
+        runtime_nsenter = runtime_path / "usr" / "bin" / "nsenter"
+        runtime_setpriv = runtime_path / "usr" / "bin" / "setpriv"
 
-        # when in a core snap, we need the snap mount namespace to use anything
-        # that was shared via a content interface
         snap_name = os.getenv("SNAP_NAME", "checkbox")
         cmd += [
-            # Note: don't make this absolute! We must use the system nsenter
-            #       as we have yet to mount the namespace, so the snap one won't
-            #       work
             (
-                "nsenter"
+                str(runtime_nsenter)
                 if dangerous_nsenter_path is None
                 else dangerous_nsenter_path
             ),
             "-m/run/snapd/ns/{}.mnt".format(snap_name),
         ]
+        if snap_base != "core16":
+            # on non-core16 we have given ourselves AmbientCapabilities. After
+            # using them for what we needed (mounting the namespace) we must
+            # drop them else the "user" test will have way more priviledges
+            # than it is supposed to
+            cmd += [str(runtime_setpriv), "--inh-caps=-all"]
     env = get_execution_environment(job, environ, session_id, nest_dir)
     if extra_env:
         env.update(extra_env())
@@ -888,6 +922,8 @@ def get_execution_command_systemd_unit(
         path = f.name
 
     wrapper_cmd.append(path)
+    # dangerous_nsenter will create the dangerous version only if it is needed
+    # it is a no-op on non-core16 snaps
     with dangerous_nsenter(dangerous_nsenter_path):
         try:
             yield wrapper_cmd

checkbox-ng/plainbox/impl/unit/unit.py

@@ -29,6 +29,7 @@
 import logging
 import os
 import string
+from pathlib import Path
 from functools import lru_cache
 
 from jinja2 import Template
@@ -72,6 +73,31 @@ def on_ubuntucore():
     return False
 
 
+@lru_cache(maxsize=None)
+def get_snap_base():
+    """
+    Get the current snap base
+    """
+    snap = os.getenv("SNAP")
+    if snap:
+        with open(os.path.join(snap, "meta/snap.yaml")) as f:
+            for l in f.readlines():
+                if "base:" in l:
+                    core_version = l.replace("base:", "").strip()
+                    if core_version == "core":
+                        return "core16"
+                    return core_version
+        return "core16"  # core16 may not declare base
+    raise ValueError("Couldn't detect snap path. Missing SNAP envvar")
+
+
+def get_checkbox_runtime_path():
+    snap_base_n = get_snap_base().replace("core", "")
+    # the bases of the runtime and frontend must always match
+    runtime_name = "checkbox" + snap_base_n
+    return Path("/snap") / ("checkbox" + snap_base_n) / "current"
+
+
 class MissingParam(Exception):
     """
     Indicaiton of a missing parameter required for template instantiation.