Flatpak support for read-only per user p11-kit remote socket

[alexlarsson]

I have been looking at the ca-certificate story for flatpak. Currently each runtime ships a ca-certificatates bundle and is set up to use that. However, that is basically wrong, what we want to do is expose the ca-certs from the host (in a read-only fashion). I looked into exporting the raw files, but it seems like every distro is doing things in their own way, so this seems pretty painful.

Instead we could rely on the host shipping with p11-kit, and bind-mount a unix socket into the sandbox in a well known location (this is how we expose X11/wayland/pulseaudio too). Then the runtime/apps could be configured with modules to get ca:s from there.

Would this be a reasonable approach? And would it work for both OpenSSL and gnutls? Does it work already, or does it require any p11-kit work?

[nmav]

Would this be a reasonable approach?

@alexlarsson [sorry for the late reply] it seems so

And would it work for both OpenSSL and gnutls?

It depends how are they compiled. gnutls can be compiled to read the CA trust store from p11-kit trust module directly (fedora does that), and openssl may need to generate some file store from p11-kit.

Does it work already, or does it require any p11-kit work?

It does. fedora uses p11-kit that way.

[alexlarsson]

openssl may need to generate some file store from p11-kit.

What exactly do you mean by this? What and when would create these files? Suppose we're running in a sandbox with no files from the host, just a unix domain socket to p11y-kitd. Do we have to run some trigger on app startup to extract the current ca certs?

So, the other question is, what else but reading the ca-certs can you do via p11y-kitd? Can you add new root certs? I guess you can access smart cards? Thats maybe not ideal to export to all apps. Is there anything else that is problematic to give access to for "untrusted" code?

[stefwalter]

I tihnk we should make it so openssl doesn't need to build a filestore from p11-kit. Can we just do the work to make openssl access p11-kit directly for its certificates and trust?

[alexlarsson]

It seems to me that docker and other container system have similar requirements to this. I.e. you want to add a system-wide ca root on the host and have containers pick these up automatically. No?

[alexlarsson]

At least for the new work on "system containers".

[stefwalter]

A while back Openshift folks were also asking about this for their pods. To be able to mount trusted certificate files into containers, they way they bring the host resolv.conf in ... Again, depends on making this work seamlessly with OpenSSL ... due to a lot of containerized software using OpenSSL.

[nmav]

Given that the files are generated on the host, wouldn't bind mounting '/etc/pki' on containers and flatpak, "just" work? It contains files for openssl, gnutls, nss as well as java. The only issue that I can find with that, is that /etc/pki contains a lot of other crap too.

[stefwalter]

Right, if that is sorted out (separating trust related files from private keys) ... then we're in a good place for sharing CA trust into containers / flatpaks. The p11-kit ca-trust directories are already separate, others are intermingled.

[alexlarsson]

For the case of flatpak I'm specifically interested in p11-kitd because i cannot mount the pki files directly, since flatpak is cross-distribution and the file layout differs wildly between different distributions (and versions). The hope was to get a single, ABI-stable, long term supportable source for CA trust.

I understand that in a openshift on rhel running a rhel container we can just share /etc/pki, but that is just not good enough for me.

Of course, if anyone manages to sell a single standard for storing the ca roots for all distros then i can use that too.

[stefwalter]

PKCS#11 is that standard. But integration into OpenSSL is what needs to be finished, hence the reference to that above.

[alexlarsson]

Yes, pkcs#11 is good, but /etc/pki is not.

[nmav]

I wouldn't bet on openssl integration any time soon. Nevertheless, @alexlarsson what about what I suggested above. Use PKCS#11 for NSS and gnutls apps, and use the commands

/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem

to generate the layout that openssl expects?

[alexlarsson]

I guess that would work. I could put it in a script so that only apps using openssl would need to call that on startup.

[kaie]

Is it possible that a flatpak application runs with root permissions? If yes, then a flatpak shouldn't access the host's p11-kit-trust.so module directly, because it can be used to change the host CA trust configuration.