New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces/bulitin: allow fwupdmgr refresh on fwupd plug #2228
Conversation
timchen119
commented
Oct 28, 2016
I'm not quite sure this is sound. The meaning of the plug was being able to talk to fwupd, but now it's granting actual capabilities to the plug holder. What are the details behind this change? |
At first I was thinking this was fine, but then I got to thinking-- why doesn't the snap simply: |
Up to @timchen119 to comment on this. |
@jdstrand does network-observe allow net_admin capability ? Also I thought we want the interface alone can support the fwupd and fwupdmgr tool. I'm not sure why I didn't catch this error with previous ubuntu core build, fwupdmgr behavior and command were same. |
@timchen119 - "@jdstrand does network-observe allow net_admin capability ?" - yes. As for fwupd, it is defined as "Can access snaps providing the fwupd interface which gives privileged access to update UEFI capsule format firmware.". It isn't designed to give network access, to run ping, etc. The network and network-observe interfaces are there for you to use for that sort of thing. |
@jdstrand am I missing something it looks commented out on master: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/network_observe.go#L36 fwupdmgr refresh is a required action to update UEFI firmware from the LVFS, but sure if thats what we want I will use other interfaces in the snap. I can test what you mentioned when I have the machine around. thanks. |
@timchen119 - hrmm, actually you are right. I was thinking of net_raw for ping and missed that net_admin was commented out. Ok, definitely use 'network' for the seccomp denial, but can you describe why fwupd needs 'net_admin'? 'man capabilities' and looking at CAP_NET_ADMIN may provide some insight. |
@jdstrand after some testing on the machine, add |