As part of working on #358, we found out that the untrusted socket is not used, and so can be removed (in preparation for porting the AccessChecker changes from snapd in https://github.com/canonical/pebble/pull/358).
Indicators that it's not used:
If we look at how canAccess works, if we match on untrustedSocketPath (isUntrusted), the only way for canAccess to allow the request is when c.UntrustedOK is true (otherwise it unconditionally returns accessUnauthorized immediately):
if isUntrusted {
if c.UntrustedOK {
return accessOK
}
return accessUnauthorized
}
So in order for any API calls to be allowed with the untrusted socket (assuming all API calls go through canAccess), we would need to have a Command defined with UntrustedOK: true. Checking the Pebble codebase, no such Command definition exists, which means that even if any application would use the untrusted socket currently, all API calls would return accessUnauthorized unconditionally for this socket.
The untrusted socket as well as UntrustedOK in Command were already part of the initial import commit (50466bab893615147372361c78d4c48102daa07f), so seem to be an inheritance from snapd that haven't seen use in Pebble since then. The corresponding snapd sources from around November 10th, 2020 seem to call these SnapOK (UntrustedOK), dirs.SnapSocket (untrustedSocketPath) and snapListener (untrustedListener).
Due to gofmt and removal of struct members with the longest names, this PR is best reviewed with the "hide whitespace" option.
As part of working on #358, we found out that the untrusted socket is not used, and so can be removed (in preparation for porting the
AccessChecker
changes from snapd in https://github.com/canonical/pebble/pull/358).Indicators that it's not used:
If we look at how
canAccess
works, if we match onuntrustedSocketPath
(isUntrusted
), the only way forcanAccess
to allow the request is whenc.UntrustedOK
istrue
(otherwise it unconditionally returnsaccessUnauthorized
immediately):So in order for any API calls to be allowed with the untrusted socket (assuming all API calls go through
canAccess
), we would need to have aCommand
defined withUntrustedOK: true
. Checking the Pebble codebase, no suchCommand
definition exists, which means that even if any application would use the untrusted socket currently, all API calls would returnaccessUnauthorized
unconditionally for this socket.The untrusted socket as well as
UntrustedOK
inCommand
were already part of the initial import commit (50466bab893615147372361c78d4c48102daa07f), so seem to be an inheritance from snapd that haven't seen use in Pebble since then. The corresponding snapd sources from around November 10th, 2020 seem to call theseSnapOK
(UntrustedOK
),dirs.SnapSocket
(untrustedSocketPath
) andsnapListener
(untrustedListener
).Due to
gofmt
and removal of struct members with the longest names, this PR is best reviewed with the "hide whitespace" option.