o/hookstate/ctlcmd: add optional --pid and --apparmor-label arguments to "snapctl is-connected"

[jhenstridge]

This PR is an implementation of @pedronis's snapctl is-connected --pid proposal described in this forum thread:

https://forum.snapcraft.io/t/autoconnect-requests-for-pulseaudio/18926/3?u=jamesh

Unlike regular snapctl is-connected, the --pid option only considers connections with the snap identified by the given process ID, as identified by cgroup.SnapNameFromPid. The intention is to allow a snap daemon using local sockets check that the peer it is talking to has connected a given interface.

For example, a Pulse Audio snap may provide audio-record and audio-playback slots whose connection grant access to the daemon's socket. The daemon can issue a snapctl is-connected --pid $pid audio-record to determine whether a particular client has been granted access to the microphone.

In addition to the normal 0/1 exit codes, the command may also return the following:

• 10: process ID does not refer to a snap
• 11: plug/slot is not connected, and process ID refers to a classic confined snap.

These both look like "false" to the shell, but can be used by services that want to communicate with host system processes or classic snaps.

There is a placeholder function to check whether to allow the feature to be used with a particular plug/slot. At present, it hard codes it to allow use on slots of interface cups-control, pulseaudio, or audio-record.

[tillkamppeter]

CUPS is supposed to allow access from any non-snapped process and any classic-mode-snapped process in addition to standard-snapped processes plugging to "cups-control", so either the mentioned command should return "true" in all these cases or have special answers for non-snapped and classic-mode-snapped processes.

[tillkamppeter]

Is it also possible for CUPS to do this with an API call or only by calling this command line tool?

[jhenstridge]

CUPS is supposed to allow access from any non-snapped process and any classic-mode-snapped process in addition to standard-snapped processes plugging to "cups-control"

Good point about classic confinement snaps. I agree that for the Pulse Audio and CUPS use cases it would make sense to treat classic snaps like unconfined processes. It does muddy things a bit though, since classic snaps can have plugs and slots.

Is it also possible for CUPS to do this with an API call or only by calling this command line tool?

Yes. The snapd-glib library includes a snapd_client_run_snapctl_sync method. You'd probably need to call snapd_client_set_socket_path first to have the SnapdClient talk to /run/snapd-snap.socket instead of /run/snapd.socket though.

Since you'd be dealing with only a process ID, this would remove the need for determining and parsing the AppArmor label of the peer too.

[zyga]

Technically this looks correct and feels nice.

I left some comments. Please ping for a full review when not a draft.

[zyga]

Quick pass through the spread test (my favourite part of snapd patches)

[tillkamppeter]

@jhenstridge, anything still missing to drop the "Draft" status? I am waiting for this to get in, so that the CUPs Snap can finally get into the Snap Store.

[jhenstridge]

I've flipped the PR over to ready for review. I added a check to restrict the feature to one of a few slot types. That check probably should be changed a bit or moved to a more appropriate location, but I'm not sure where exactly.

[pedronis]

@jhenstridge I looked at this and spent some time thinking, let's chat about it

[alexmurray]

This looks good to me from a security point of view, there are comprehensive tests and the implementation looks solid. Just waiting to follow up on Samuele's question above before signing off on this with security review.

[alexmurray]

Security review done as per the previous comments / discussion 👍

[pedronis]

thanks, a couple of comments/questions

[pedronis]

@jhenstridge I answered to your last replies making some suggestions

[anonymouse64]

a couple terminology changes to use more inclusive language, but other than that lgtm, thanks for working on this