REST API for creating baby capabilities

Zygmunt Krynicki zygmunt.krynicki at canonical.com
Tue Nov 17 07:21:23 UTC 2015 

On Tue, Nov 17, 2015 at 3:47 AM, Seth Arnold <seth.arnold at canonical.com> wrote:
> On Mon, Nov 16, 2015 at 06:22:23PM +0100, Zygmunt Krynicki wrote:
>> I'm slowly progressing towards having an API for capabilities. The API
>> is very simple, all you can do is create, list and remove capablity
>> objects. This is still pre-usefulness stage. Still, I'd love to
>
> I'm quite surprised by the delete call; I thought caps were much like
> AppArmor abstraction files, not actually doing anything until they are
> included into a policy of some sort.

Ah, good question. Those are different capabilities (again, sorry for
the name clash but it's beyond my control). Here, each capability
represents a resource of some kind that can be potentially assigned to
a snap. Capability does not do anything by itself. Once it is
assigned, the type of the capability, coupled with the set of
attributes (we're not there yet) that each capability carries will
grant the snap additional security permissions. In my terms it will
punch holes required to use the capability at runtime.

The delete call is justified below:

> When would someone want to delete a capability? Why? Who is allowed to do
> so and what recourses exist if one was deleted accidentally?

The current API is privileged. It is meant to be used for two goals:

1. Tinkering with the snappy capability subsystem. You can use those
APIs to freely alter the state to experiment and expose flaws in the
design. This is how we'll use it for the time being.
2. Be the backbone for reacting to system events. Let's say you've
plugged a wifi dongle to your raspberry pi. This created a few new
capabilities based on rules (that don't exist yet). Now you remove the
dongle. Bam, those capabilities are gone.

So to answer your question, Snappy itself will create and delete
capabilities for the vast majority of the time. Later on I'm open to
allowing some snaps to also do that (e.g. a service that transforms
one resource into another by consuming one capability and producing a
different capability).

If you delete a capability by accident then you must have been
tinkering. Normally this will not be allowed (perhaps we'll restrict
this or put it in some internal CLI tools). Even if, you can just
reboot as (again, we're not there yet) the rule system will re-create
everything.

Thanks
ZK

More information about the snappy-devel mailing list