* interface/seccomp: add socket AF_QIPCRTR
AF_QIPCRTR (Qualcomm IPC router protocol) is used to communicate
with services provided by other hardware blocks in the system.
Snaps to access some Qualcomm hardware components need this protocol.
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* snap-seccomp: add AF_QIPCRTR and PF_QIPCRTR
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin: add qrtr
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qrtr: limit type to sock_dgram only
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: rename from qrtr and add more details
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: update tests
Signed-off-by: Robert Liu <robert.liu@canonical.com>
* sandbox/apparmor: support checking for network qipcrtr dgram parser feature
This is not a required or even preferred feature at this time, it will just be
used by one specific interface for checking. Eventually it should become a
proper feature that is queried / included in the system-key perhaps, etc. but
the rest of the machinery for this is not available yet.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: only perform the conn if the parser supports it
If the apparmor_parser on the system doesn't support the qipcrtr-socket
feature, then we shouldn't proceed with the connection of the apparmor plug.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/apparmor: expose the apparmor sandbox features through Specification
This allows interfaces to specialize their policy or behavior based on what
features are available in both the parser and the kernel.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: adjust implementation to use spec.Features()
This is the better way where the individual interface doesn't need to import
the sandbox directly and can instead get the features from the specification.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* cmd/snap-seccomp: address gofmt for 1.13
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/interfaces-many-core-provided: check on xenial, qualcomm-ipc-router fails
This interface does not work on xenial, so we should get an error message
trying to connect it.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces: rename MockSetFeatures -> MockFeatures
Thanks to Samuele for the suggestion.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: drop redundant dgram from rule
Thanks to Alex for pointing this out.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* snap-seccomp: import "github.com/mvo5/libseccomp-golang" without the "seccomp" prefix to avoid breaking the debian-sid patch
* tests: fix skip on 16.04 for qualcomm-ipc-router
* interfaces/repo: add comment about issue with AppArmorConnectedPlug failures
Explain a potential issue we are running into with the current state of the
qualcomm-ipc-router interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: switch to BeforePreparePlug based impl
Use BeforePreparePlug instead of AppArmorConnectedPlug since
AppArmorConnectedPlug returning non-nil error leads to an inability to process
other connection changes for that snap until snapd is restarted.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* Revert "interfaces/apparmor: expose the apparmor sandbox features through Specification"
This reverts commit bff6b6b2b5c62349e2605c199241c97a61ba6cb3.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/qualcomm-ipc-router: switch to using BeforeConnectPlug
BeforePreparePlug is actually run just when a plug is declared, not necessarily
when the plug is going to be connected. For qualcomm-ipc-router, we want to
reject the connection, not necessarily the plug by itself.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/builtin/qualcomm-ipc-router: fix method args to match interface
Also need to adjust the new interfaces.BeforeConnectPlug helper which tests
this as it was using the wrong type as well.
Thanks to Samuele for finding this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests/main/interfaces-many-core-provided: fix if check for xenial to add UC16
Xenial and Ubuntu Core 16 suffer from the same problem so they both need to be
considered in this check.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Co-authored-by: Tsunghan Liu (Robert Liu) <robert.liu@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
This should allow an access of the form:
AVC apparmor="DENIED" operation="open" profile="snap.name.app" name=/sys/devices/platform/soc@0/30800000.bus/30be0000.ethernet/net/eth0/address pid=18219 comm="vgc-bc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/interfaces/ion-memory-control: add: add interface for Android ION memory allocator
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
* tests: add ion-memory-control to snap.yaml and base decl tests
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/interfaces/ion-memory-control: adding reference url about ion to the apparmot snippet
Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>
Co-authored-by: Ian Johnson <ian.johnson@canonical.com>
Additional ambarella kernel driver is required to access the CV2X
processor registers so this enabled the capability to set the internal
value at run time.
Signed-off-by: Hsieh-Tseng Shen <woodrow.shen@canonical.com>
The mbim-proxy daemon is started by the ModemManager service.
The modem's app which wants to send MBIM messages will
connect to the mbim-proxy daemon via the unix socket.
The mbim-proxy daemon uses the the abstract socket path
"mbim-proxy". The modem-manager interface needs a
corresponding update. This provides that update.
References:
https://bugs.launchpad.net/austin/+bug/1936374
The mbim-proxy daemon is started by the ModemManager service.
The modem's app which wants to send MBIM messages will
connect to the mbim-proxy daemon via the unix socket.
The mbim-proxy daemon uses the the abstract socket path
"mbim-proxy". The modem-manager interface needs a
corresponding update. This provides that update.
References:
https://bugs.launchpad.net/austin/+bug/1936374
Merge pull request #10516 from pedronis/interfaces-systemd-tweaks
this is somewhat simpler for the callers and more consistent because
the systemd backend needs to control the naming pattern to allow
update/removal anyway
also produce slightly more informative clashing def internal errors
* interfaces/builtin: add sd-control interface
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: make super-privileged and implicit on core,classic
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: disallow slotting by app snaps in base-decl
Thanks to Samuele for spotting this error.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/policy/basedeclaration_test.go: fix base-decl tests for sd-control
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: fix typo
Thanks to Michael for spotting this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/builtin: add sd-control interface
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: make super-privileged and implicit on core,classic
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: disallow slotting by app snaps in base-decl
Thanks to Samuele for spotting this error.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/policy/basedeclaration_test.go: fix base-decl tests for sd-control
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* interfaces/sd-control: fix typo
Thanks to Michael for spotting this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
this is somewhat simpler for the callers and more consistent because
the systemd backend needs to control the naming pattern to allow
update/removal anyway
Without this line:
cat /sys/block/mmcblk0/device/date
results in this denial:
/sys/devices/platform/soc/3f202000.mmc/mmc_host/mmc0/mmc0:aaaa/dateSee: https://forum.snapcraft.io/t/interface-for-read-info-about-sd-card/25202
After adding the line in the commit to my snap apparmor file it works:
root@srly-r7d8mg4oj4eo0go:/home/pi# sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report
Warning from /var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report (/var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report line 1297): Character # was quoted unnecessarily, dropped preceding quote ('') character
root@srly-r7d8mg4oj4eo0go:/home/pi# snap run --shell screenly-client.submit-report
root@srly-r7d8mg4oj4eo0go:/home/pi# cat /sys/block/mmcblk0/device/date
06/2017
Without this line:
cat /sys/block/mmcblk0/device/date
results in this denial:
/sys/devices/platform/soc/3f202000.mmc/mmc_host/mmc0/mmc0:aaaa/dateSee: https://forum.snapcraft.io/t/interface-for-read-info-about-sd-card/25202
After adding the line in the commit to my snap apparmor file it works:
root@srly-r7d8mg4oj4eo0go:/home/pi# sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report
Warning from /var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report (/var/lib/snapd/apparmor/profiles/snap.screenly-client.submit-report line 1297): Character # was quoted unnecessarily, dropped preceding quote ('') character
root@srly-r7d8mg4oj4eo0go:/home/pi# snap run --shell screenly-client.submit-report
root@srly-r7d8mg4oj4eo0go:/home/pi# cat /sys/block/mmcblk0/device/date
06/2017
Glibc 2.27 may try to access this file when creating a new arena for malloc.
This happens when glibc calls __get_nprocs() behind the scenes, and
/sys/devices/systen/cpu/online is the first of the files on which open() is
attempted.
Putting this in Go context, with details outlined in
https://github.com/golang/go/issues/25628, the problem was only seed on i386
systems when binaries are built using cgo. It just so happens that
snap-update-ns needs to be built with cgo and linked statically with glibc.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
