interfaces: add random interface #3045
Conversation
interfaces/builtin/hw_random.go
Outdated
| # Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
|
||
| /dev/hwrng rw, | ||
| /devices/virtual/misc/hw_random rw, |
| allow-installation: | ||
| slot-snap-type: | ||
| - core | ||
| deny-auto-connection: true |
There was a problem hiding this comment.
Why? This looks like something we should hand off by default.
|
@niemeyer , I fixed the code after your comments. For the some reason tests fail because of timeout. |
|
@femdom Thanks. We had some issues last week with test machine contention (too many tests, not enough machines), which resulted in them waiting too much for a machine to be available. Situation is normalized now and I've restarted the test. @jdstrand can you please have a look at this one when you have a moment? |
|
Travis tests passing. |
|
@femdom FYI, I've updated this PR for the latest API changes. |
|
Thanks, @stolowski! Checks passed! |
| allow-installation: | ||
| slot-snap-type: | ||
| - core | ||
| allow-auto-connection: true |
There was a problem hiding this comment.
I think this should be renamed to hardware-random or even hardware-random-control since random implies /dev/random and /dev/urandom and we already allow access to those by default.
I also think this should be: deny-auto-connection: true since direct access to /dev/hwrng is not normally needed and typically only used by applications such as rng-tools to mix /dev/hwrng into kernel entropy. More importantly, a hardware-specific kernel driver for /dev/hwrng could be implemented in any number of ways including with weak (or non-existent) entropy (the kernel does not perform any fitness tests). Since this interface allows changing the hwrng via sysfs, it is possible to switch out a stronger rng for a weaker one and this is something that should not be auto-connected.
Perhaps this could be broken out into two interfaces:
- hardware-random-observe - read access to relevant files from this PR, manually connected
- hardware-random-control - all of hardware-random-observe plugs write access to /sys/class/misc/hw_random/rng_current for changing the hwrng, manually connected
I would argue that hardware-random-observe would still be a manual connection because the access is not typically needed, the device may not be provided by the kernel and there is no guarantee that the fitness of the device is good (ie, the gadget developer or device owner should decide whether a snap should use /dev/hwrng).
There was a problem hiding this comment.
All recommendations, including naming, feel sound. 👍
interfaces/builtin/random.go
Outdated
| const randomConnectedPlugAppArmor = ` | ||
| # Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
|
||
| /dev/hwrng rw, |
There was a problem hiding this comment.
Done though have a look, I'm not sure if the control-vs-observe split applies here
interfaces/builtin/random.go
Outdated
| ) | ||
|
|
||
| const randomConnectedPlugAppArmor = ` | ||
| # Description: Allow access to the hardware random number generator device - /dev/hwrng |
There was a problem hiding this comment.
Please change this to:
# Description: allow direct access to the hardware random number generator device. Usually,
# the default access to /dev/random is sufficient, but this allows applications such as rng-tools
# to use /dev/hwrng directly or change the hwrng via sysfs. For details, see
# https://www.kernel.org/doc/Documentation/hw_random.txt
interfaces/builtin/random.go
Outdated
| # Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
|
||
| /dev/hwrng rw, | ||
| /sys/devices/virtual/misc/hw_random rw, |
There was a problem hiding this comment.
This is a directory, not a file. This rule should be:
/sys/devices/virtual/misc/ r,
/sys/devices/virtual/misc/hw_random/rng_{available,current} r,
# Allow changing the hwrng
/sys/devices/virtual/misc/hw_random/rng_current w,
The above assumes you actually need write access to /sys/devices/virtual/misc/hw_random/rng_current. Do you?
You should also add this rule:
/run/udev/data/c10:183 r,
|
Understood, thanks. |
|
@femdom - just to be clear, please don't make any changes just yet until these open questions are answered. |
|
Just updating the ticket. Let me know if I can fix addressed issues. |
This patch splits the "random" interface into a hardware-random-observe and -control interface pair. In addition the plugs no longer auto-connect and there are some extra permission for the -control plug. There are several smaller changes as requested by jdstrand. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
|
I just updated this according to @jdstrand specification. Let me know if there's anything more needed, I can quickly iterate and hopefully land this interface. |
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
| # Description: allow direct access to the hardware random number generator device. Usually, | ||
| # the default access to /dev/random is sufficient, but this allows applications such as rng-tools | ||
| # to use /dev/hwrng directly or change the hwrng via sysfs. For details, see | ||
| # https://www.kernel.org/doc/Documentation/hw_random.txt |
| /sys/devices/virtual/misc/hw_random/rng_{available,current} r, | ||
| # Allow changing the hwrng | ||
| /sys/devices/virtual/misc/hw_random/rng_current w, | ||
| /run/udev/data/c10:183 r, |
There was a problem hiding this comment.
Can you move this to below /dev/hwrng? It corresponds to that device and this access isn't needed for changing the hwrng. I also like to have blcnks lines before comments in policy, for readability. Eg:
+/dev/hwrng rw,
 +/run/udev/data/c10:183 r,
 +/sys/devices/virtual/misc/ r,
 +/sys/devices/virtual/misc/hw_random/rng_{available,current} r,
+
+# Allow changing the hwrng
 +/sys/devices/virtual/misc/hw_random/rng_current w,
| } | ||
|
|
||
| func (iface *HardwareRandomControlInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool { | ||
| return true |
There was a problem hiding this comment.
Can you add above this 'return' (for consistency with other interfaces):
// Allow what is allowed in the declarations
| /dev/hwrng r, | ||
| /sys/devices/virtual/misc/ r, | ||
| /sys/devices/virtual/misc/hw_random/rng_{available,current} r, | ||
| /run/udev/data/c10:183 r, |
There was a problem hiding this comment.
Can you move this under /dev/hwrng, like above?
| } | ||
|
|
||
| func (iface *HardwareRandomObserveInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool { | ||
| return true |
There was a problem hiding this comment.
and add above this 'return':
// Allow what is allowed in the declarations
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Allow access to the /dev/hwrng device (used in the Raspberry Pi).