-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces,overlord: allow access to kernel snap in profiles #14899
base: master
Are you sure you want to change the base?
interfaces,overlord: allow access to kernel snap in profiles #14899
Conversation
In UC24+ the kernel modules and firmware is accessed from symlinks in /lib/{modules,firmware} that can point to different locations. Make sure that the files can be read by any snap, as there are actions that can trigger the automatic loading of modules or firmware from the kernel. This is also needed so the kernel-modules-control can actually work as expected.
This option is needed to generate apparmor profiles that allow accessing kernel modules/firmware.
Access to component dirs might be tightened so only those of type |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #14899 +/- ##
==========================================
+ Coverage 78.20% 78.21% +0.01%
==========================================
Files 1151 1155 +4
Lines 151396 152853 +1457
==========================================
+ Hits 118402 119557 +1155
- Misses 25662 25910 +248
- Partials 7332 7386 +54
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment about remodeling
@@ -88,12 +88,19 @@ func (m *InterfaceManager) buildConfinementOptions(st *state.State, snapInfo *sn | |||
return interfaces.ConfinementOptions{}, fmt.Errorf("cannot get extra mount layouts of snap %q: %s", snapInfo.InstanceName(), err) | |||
} | |||
|
|||
kernelSnap := "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the code here probably needs to take the task so we can do the right thin during remodel
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, fixed now
so remodelling scenarios are handled properly.
7cdf7d5
to
71b8ccd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in general - only allows read access to contents under /snap/$kernel/ and /var/snap/$kernel - where $kernel comes from snapd itself interrogating the DeviceCtx() - which as far as I can tell contains the name of the kernel snap as specified in the model assertion for the device and so is not able to be influenced in any way by the untrusted snap or user itself
In UC24+ the kernel modules and firmware is accessed from symlinks in
/lib/{modules,firmware} that can point to different locations. Make
sure that the files can be read by any snap, as there are actions that
can trigger the automatic loading of modules or firmware from the
kernel. This is also needed so the kernel-modules-control can actually
work as expected.