cmd/snap-confine: bring /lib/firmware from the host #7104
Conversation
The kernel will use the mount namespace of the invoking process to auto-load firmware on demand. On core18 systems or on systems using core and core18 base snap apps the /lib/firmware directory is empty present, causing issues with CUDA and some wifi stacks. This patch fixes this Fixes: https://bugs.launchpad.net/snapd/+bug/1821023 Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
There was a problem hiding this comment.
Assuming tests pass, this looks fine. It is curious that the kernel looks at the namespace of the invoking process for firmware load, but not for module load (as discussed in #7053 (comment)). It seems this should be consistent and possibly a bug for the /lib/firmware case (why wouldn't it load from the host for firmware?).
|
This PR is only exposing /lib/firmware from the host to the snap's runtime environment, which is correcting the weird behavior of the kernel (and the snap doesn't have access to /lib/firmware otherwise). That said, we should blacklist /lib/firmware in layouts so that a snap can't provide firmware itself and then trigger an autoload. UPDATE: I verified we are already blacklisting /lib/firmware |
|
I force pushed to add the apparmor permission. Sorry about that, didn't think about it up front. |
Codecov Report
@@ Coverage Diff @@
## master #7104 +/- ##
==========================================
- Coverage 80.4% 80.39% -0.01%
==========================================
Files 627 627
Lines 49081 49081
==========================================
- Hits 39462 39459 -3
- Misses 6570 6573 +3
Partials 3049 3049
Continue to review full report at Codecov.
|
|
I will need to add the corresponding SELinux permission as well: |
pedronis
dismissed
jdstrand’s stale review
it's unclear if the last sate of the PR was reviewed
|
I pushed the SELinux update but ideally someone knowledgable in this area would double check. |
| @@ -468,6 +469,7 @@ allow snappy_confine_t etc_t:file mounton; | |||
| allow snappy_confine_t home_root_t:dir mounton; | |||
| allow snappy_confine_t ifconfig_var_run_t:dir mounton; | |||
| allow snappy_confine_t modules_object_t:dir mounton; | |||
| allow snappy_confine_t lib_t:dir mounton; | |||
There was a problem hiding this comment.
Is this enough for this functionality to work? It looks okay, but I’m not sure if mounton implies that you can read the stuff inside once it is mounted inside. We did this with several other types, so…
There was a problem hiding this comment.
Thanks! It seems to be enough, our tests are happy but maybe they are not deep enough - I am inclined to use as is and let @stolowski review later and tweak policy and tests if needed.
| @@ -193,6 +193,9 @@ | |||
| mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, | |||
| mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/modules/, | |||
|
|
|||
| mount options=(rw rbind) {,/usr}/lib{,32,64,x32}/firmware/ -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, | |||
| mount options=(rw rslave) -> /tmp/snap.rootfs_*{,/usr}/lib/firmware/, | |||
There was a problem hiding this comment.
Why are we allowing these to be mounted as read-write? These should be only read-only mounted.
There was a problem hiding this comment.
Good catch! I think we need to talk to @zyga because e.g. the modules are probably also fine to be mounted RO.
There was a problem hiding this comment.
I think the mount options are not super accurate as in, they are not really respected the way they should be. I will look at a pass that changes most of them to read only.
The kernel will use the mount namespace of the invoking process to
auto-load firmware on demand. On core18 systems or on systems using core
and core18 base snap apps the /lib/firmware directory is empty present,
causing issues with CUDA and some wifi stacks. This patch fixes this
Fixes: https://bugs.launchpad.net/snapd/+bug/1821023
Signed-off-by: Zygmunt Krynicki me@zygoon.pl