Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

interfaces,overlord: allow access to kernel snap in profiles #14899

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

alfonsosanchezbeato
Copy link
Member

In UC24+ the kernel modules and firmware is accessed from symlinks in
/lib/{modules,firmware} that can point to different locations. Make
sure that the files can be read by any snap, as there are actions that
can trigger the automatic loading of modules or firmware from the
kernel. This is also needed so the kernel-modules-control can actually
work as expected.

In UC24+ the kernel modules and firmware is accessed from symlinks in
/lib/{modules,firmware} that can point to different locations. Make
sure that the files can be read by any snap, as there are actions that
can trigger the automatic loading of modules or firmware from the
kernel. This is also needed so the kernel-modules-control can actually
work as expected.
This option is needed to generate apparmor profiles that allow
accessing kernel modules/firmware.
@alfonsosanchezbeato
Copy link
Member Author

Access to component dirs might be tightened so only those of type kernel-modules can be accessed, but that would imply to regenerate all profiles on installation of these components and the kernel. The same can be said for access to modules in $SNAP_DATA, where content of kernel.yaml would need to be checked.

Copy link

codecov bot commented Jan 6, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.21%. Comparing base (24a0034) to head (1cd5576).
Report is 81 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #14899      +/-   ##
==========================================
+ Coverage   78.20%   78.21%   +0.01%     
==========================================
  Files        1151     1155       +4     
  Lines      151396   152853    +1457     
==========================================
+ Hits       118402   119557    +1155     
- Misses      25662    25910     +248     
- Partials     7332     7386      +54     
Flag Coverage Δ
unittests 78.21% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment about remodeling

@@ -88,12 +88,19 @@ func (m *InterfaceManager) buildConfinementOptions(st *state.State, snapInfo *sn
return interfaces.ConfinementOptions{}, fmt.Errorf("cannot get extra mount layouts of snap %q: %s", snapInfo.InstanceName(), err)
}

kernelSnap := ""
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code here probably needs to take the task so we can do the right thin during remodel

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, fixed now

interfaces/apparmor/backend.go Show resolved Hide resolved
so remodelling scenarios are handled properly.
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

@pedronis pedronis added Needs security review Can only be merged once security gave a :+1: Security-High labels Jan 9, 2025
@pedronis pedronis added this to the 2.67.1 milestone Jan 9, 2025
Copy link
Contributor

@alexmurray alexmurray left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM in general - only allows read access to contents under /snap/$kernel/ and /var/snap/$kernel - where $kernel comes from snapd itself interrogating the DeviceCtx() - which as far as I can tell contains the name of the kernel snap as specified in the model assertion for the device and so is not able to be influenced in any way by the untrusted snap or user itself

@alexmurray alexmurray removed Security-High Needs security review Can only be merged once security gave a :+1: labels Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants