New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
interfaces: add random interface #3045
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can probably name this as simply "random", and include in this interface any random-number generation infrastructure available in the system.
Otherwise, just a few notes:
interfaces/builtin/hw_random.go
Outdated
# Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
||
/dev/hwrng rw, | ||
/devices/virtual/misc/hw_random rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing a /sys prefix.
allow-installation: | ||
slot-snap-type: | ||
- core | ||
deny-auto-connection: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? This looks like something we should hand off by default.
@niemeyer , I fixed the code after your comments. For the some reason tests fail because of timeout. |
@femdom Thanks. We had some issues last week with test machine contention (too many tests, not enough machines), which resulted in them waiting too much for a machine to be available. Situation is normalized now and I've restarted the test. @jdstrand can you please have a look at this one when you have a moment? |
Travis tests passing. |
@femdom FYI, I've updated this PR for the latest API changes. |
Thanks, @stolowski! Checks passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Several open questions in addition to requested changes.
@niemeyer - you should weigh in on 'hardware-random' vs 'hardware-random-control' and 'hardware-random-observe'.
allow-installation: | ||
slot-snap-type: | ||
- core | ||
allow-auto-connection: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be renamed to hardware-random
or even hardware-random-control
since random
implies /dev/random and /dev/urandom and we already allow access to those by default.
I also think this should be: deny-auto-connection: true
since direct access to /dev/hwrng is not normally needed and typically only used by applications such as rng-tools to mix /dev/hwrng into kernel entropy. More importantly, a hardware-specific kernel driver for /dev/hwrng could be implemented in any number of ways including with weak (or non-existent) entropy (the kernel does not perform any fitness tests). Since this interface allows changing the hwrng via sysfs, it is possible to switch out a stronger rng for a weaker one and this is something that should not be auto-connected.
Perhaps this could be broken out into two interfaces:
- hardware-random-observe - read access to relevant files from this PR, manually connected
- hardware-random-control - all of hardware-random-observe plugs write access to /sys/class/misc/hw_random/rng_current for changing the hwrng, manually connected
I would argue that hardware-random-observe would still be a manual connection because the access is not typically needed, the device may not be provided by the kernel and there is no guarantee that the fitness of the device is good (ie, the gadget developer or device owner should decide whether a snap should use /dev/hwrng).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All recommendations, including naming, feel sound. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm doing this change now.
interfaces/builtin/random.go
Outdated
const randomConnectedPlugAppArmor = ` | ||
# Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
||
/dev/hwrng rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should just be 'r'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done though have a look, I'm not sure if the control-vs-observe split applies here
interfaces/builtin/random.go
Outdated
) | ||
|
||
const randomConnectedPlugAppArmor = ` | ||
# Description: Allow access to the hardware random number generator device - /dev/hwrng |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change this to:
# Description: allow direct access to the hardware random number generator device. Usually,
# the default access to /dev/random is sufficient, but this allows applications such as rng-tools
# to use /dev/hwrng directly or change the hwrng via sysfs. For details, see
# https://www.kernel.org/doc/Documentation/hw_random.txt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
interfaces/builtin/random.go
Outdated
# Description: Allow access to the hardware random number generator device - /dev/hwrng | ||
|
||
/dev/hwrng rw, | ||
/sys/devices/virtual/misc/hw_random rw, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a directory, not a file. This rule should be:
/sys/devices/virtual/misc/ r,
/sys/devices/virtual/misc/hw_random/rng_{available,current} r,
# Allow changing the hwrng
/sys/devices/virtual/misc/hw_random/rng_current w,
The above assumes you actually need write access to /sys/devices/virtual/misc/hw_random/rng_current. Do you?
You should also add this rule:
/run/udev/data/c10:183 r,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Understood, thanks. |
@femdom - just to be clear, please don't make any changes just yet until these open questions are answered. |
Just updating the ticket. Let me know if I can fix addressed issues. |
This patch splits the "random" interface into a hardware-random-observe and -control interface pair. In addition the plugs no longer auto-connect and there are some extra permission for the -control plug. There are several smaller changes as requested by jdstrand. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
I just updated this according to @jdstrand specification. Let me know if there's anything more needed, I can quickly iterate and hopefully land this interface. |
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving since my feedback is all nitpicks, but please update before committing.
BTW - thanks for the alphabetizing! :)
# Description: allow direct access to the hardware random number generator device. Usually, | ||
# the default access to /dev/random is sufficient, but this allows applications such as rng-tools | ||
# to use /dev/hwrng directly or change the hwrng via sysfs. For details, see | ||
# https://www.kernel.org/doc/Documentation/hw_random.txt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: can you wrap these to 80 chars?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
/sys/devices/virtual/misc/hw_random/rng_{available,current} r, | ||
# Allow changing the hwrng | ||
/sys/devices/virtual/misc/hw_random/rng_current w, | ||
/run/udev/data/c10:183 r, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this to below /dev/hwrng? It corresponds to that device and this access isn't needed for changing the hwrng. I also like to have blcnks lines before comments in policy, for readability. Eg:
+/dev/hwrng rw,
 +/run/udev/data/c10:183 r,
 +/sys/devices/virtual/misc/ r,
 +/sys/devices/virtual/misc/hw_random/rng_{available,current} r,
+
+# Allow changing the hwrng
 +/sys/devices/virtual/misc/hw_random/rng_current w,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} | ||
|
||
func (iface *HardwareRandomControlInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool { | ||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add above this 'return' (for consistency with other interfaces):
// Allow what is allowed in the declarations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
/dev/hwrng r, | ||
/sys/devices/virtual/misc/ r, | ||
/sys/devices/virtual/misc/hw_random/rng_{available,current} r, | ||
/run/udev/data/c10:183 r, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this under /dev/hwrng, like above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done :-)
} | ||
|
||
func (iface *HardwareRandomObserveInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool { | ||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and add above this 'return':
// Allow what is allowed in the declarations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also done :-)
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Allow access to the /dev/hwrng device (used in the Raspberry Pi).