Comment 2 for bug 1949368

Revision history for this message
Ian Johnson (anonymouse67) wrote :

We are going through the other interfaces in snapd which take developer strings from the snap.yaml for interface definitions, and have validated that while these other interfaces take input from the snap.yaml, they are properly validated against very specific regular expressions and thus not subject to the same injection:

* serial-port
* iio
* i2c
* bool-file
* hidraw
* uio

However, the system-files, and personal-files interfaces both allow arbitrary paths as input and thus are also subject to this same vulnerability as the content interface, but these interfaces are super-privileged and closely monitored in the store, so they are unlikely to be able to be abused. We should still probably adjust code inside snapd to be more strict in what snapd allows, and also to quote the filepath rather than include it directly.

Finally, the netlink-driver interface has a weird quirk upon closer inspection that should be closed independently: the "family-name" attribute has this as the regular expression:

^[a-z]+[a-z0-9-]*[^\-]$

which allows any single character (except "-") at the end, meaning that for example a "," could be injected, though this would likely just make the profile fail to compile and doesn't seem to have a possibility to be used for sandbox escape, since only a single character can be injected into the file.