Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces: fix for access denied of opengl interface #3086
Conversation
Some checks were not successful
| + # This is a fix for access denied when opengl interface is used with | ||
| + # framebuffer interface in the same snap. | ||
| + # Fix for https://bugs.launchpad.net/snapd/+bug/1675738 | ||
| + /dev/fb[0-9]* rw, |
femdom
Mar 27, 2017
Contributor
We already have these lines in the resulting apparmor profile. I doubt that it will help here.
morphis
Mar 27, 2017
Contributor
The opengl doesn't allow access to /dev/fb* at the moment. See https://github.com/snapcore/snapd/blob/master/interfaces/builtin/opengl.go
If you're using the framebuffer interface together with the opengl interface at the moment then you have /dev/fb in the resulting profile as it comes in from the framebuffer interface. In this case also udev tagging is active which prevents you from accessing any other node in /dev
The goal of this PR is to allow you using just the opengl interface and drop the framebuffer interface. This will get you away from having udev tagging in the way. In a long term fix we will convert all interfaces to use proper udev tagging.
jdstrand
Mar 27, 2017
•
Edited 1 time
-
jdstrand
Mar 27, 2017
Contributor
-
Mar 27, 2017
NAK. Please instead of changing the opengl interface to use /dev/fb* (which is unrelated to opengl), adjust the opengl interface to use udev tagging. Introducing udev tagging is not difficult. See interfaces/builtin/io_ports_control.go as an example.
UPDATE: my recommendation will fix the specific snap that prompted filing https://bugs.launchpad.net/snapd/+bug/1675738 since that snap is plugging network, opengl and framebuffer (ie, both framebuffer and opengl will be using udev tagging, so no bug for this snap).
|
I've discussed this with @jdstrand a bit more in depth on IRC and we decided to NAK this PR an tackle the problem in two phases, where phase 1 will go into the 2.24 release:
@chunsangjeong Can you start working on 1. tomorrow? We will line up work for 2. for our next sprint which starts this Friday. |
|
@morphis - thanks! Phase 1 puts the workaround in the proper place (framebuffer). Since opengl is auto-connected and framebuffer is not and because /dev/fb* gives privileged access to the console framebuffer, this PR as originally submitted would constitute a security hole (it also could break a future snap that depended on /dev/fb* that only plugged opengl while pgase 2 was being worked on). Closing this PR. Feel free to ping me when the new one for framebuffer is submitted. |
jdstrand
closed this
Mar 27, 2017
jhodapp
commented
Mar 27, 2017
|
Sounds good jdstrand. |
chunsangjeong commentedMar 27, 2017
This is a fix for access denied of opengl interface when it's used
with framebuffer interface in the same snap.
Fix for https://bugs.launchpad.net/snapd/+bug/167573
Note: It's a short term fix without using udev tags for opengl interface
at this moment, not to break app snaps which were already released with
using the current opengl interface which doesn't use udev tags.
Signed-off-by: Chunsang Jeong chunsang.jeong@canonical.com