On Mon, 2017-02-13 at 10:56 +0100, Roberto Mier Escandón wrote: > Hey, > > Just an idea. > In my last snap I needed docker-support interface for only having access > to use mknod and chroot. Compared with the big list of permissions that > interface allows and I don't need, I wonder if we could have an internal > kind of structure of interfaces so that there are some of them which are > the composition of others. One snap could plug docker-support not > knowing that is "chroot" interface + "ptrace" interface + whatever. > Other snap can plug chroot interface instead since doesn't need the > other stuff and so on... >
In general, the security policy is the composition of interfaces. The default template plus interfaces gives you your security policy. There isn't that much overlap between the interfaces (a few seccomp calls notwithstanding, but there are some cleanups to be had there), but there is some, because interfaces are mostly meant to be standalone. The interfaces system is meant to be developer friendly and 'fine-grained enough' for the functionality that is meant to be exposed. chroot or ptrace interfaces aren't necessarily interesting on their own because we have to ask questions like 'chroot to where?' or 'ptrace what and how?' As such, we look at the desired functionality and go from there. Perhaps there is something that can be added to the template or an existing interface, perhaps it is a new interface. How that is expressed internally in snapd is an internal implementation detail, but what we expose to developers and users is very carefully considered. We did just that for the docker-support interface and it is a very special interface that is transitional and exists to make docker work at all. It's a very specific corner-case interface that allows a lot more than what is advertised. The best course of action is to file bugs and/or discuss on this list the functionality you want then the developers can figure out how to expose it. -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
