This adds the appropriate AppArmor and UDEV rules and accompanying tests
for using the GPU on NXP i.MX platforms that use the Vivante GPU
driver.
Signed-off-by: Isaac True <isaac.true@canonical.com>
Allow read access to the thermal sysfs from the hardware-observe
interface. See Documentation/driver-api/thermal/sysfs-api.rst in the
kernel for reference.
AppArmor is very strict when it comes to specifying the target of a
mount rule: when the mount refers to a directory, the target *must* end
with a "/", or AppArmor will block the operation. We did not catch this
in our tests because we have always been ending our "where" attributes
with a "**", that also matches slashes.
So, we update the rule to allow for an optional "/" at the end of the
mount target specification; note that our regular expression for the
validation of the mount target attribute is written in such a way that
an ending slash is not allowed. For the time being this seems proper,
because we don't want to expose this subtlety to the developer.
This is a small followup for PR#11590 - it makes the code in
getPath() a bit more linear and adds some more tests for (uncommon)
error conditions. A small typo in `validatePath()` was found and
fixed this way too.
* interfaces: posix-mq: add new interface
- Add support for a new posix-mq interface, including AppArmor and seccomp
rules. This allows creating, sending, and receiving IPC messages over POSIX
message queues between snaps.
- Remove commented out seccomp rules for POSIX message queues in template.go
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: updated static information
- Added a declaration for plugs to allow snaps from the same publisher to automatically connect
- Added slot declaration to static information
- Changed slot to disallow auto connections by default
- Allow slot installation for all snap types
- Remove implicit interfaces
Signed-off-by: Isaac True <isaac.true@canonical.com>
* apparmor: add feature detection for POSIX message queues
Check if the AppArmor implementation supports the "mqueue" keyword.
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: extend validation and testing
- Permissions are now also validated in the BeforePrepare* functions
- Check if the AppArmor system supports the mqueue feature
- Extend unit tests to also check that unwanted permissions are not included
- Additionally change mq_notify syscall to be included when the read permission is used
Signed-off-by: Isaac True <isaac.true@canonical.com>
* apparmor: update unit tests to include mqueue feature detection
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: extend MQ path validation
- Ensure the given path is not an AppArmor regex and is a clean path
- Surround the path with quotes in the AppArmor rule
- Update unit tests to with the new validation
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: remove unneeded aliases
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: mark slot as super-privileged
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: update path handling
- If the path does not begin with '/', add a '/'
- Use the name of the slot as the path if no path has been given
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: remove get/setattr
These permissions are not supported by AppArmor
* interfaces: posix-mq: remove redundant connected slot rule
Additionally added indenting the AppArmor rules
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: add open permission
* interfaces: posix-mq: update AppArmor snippet generation
- The permanent slot snippet is now generated from the complete list of
available permissions, rather than hard-coded specific permissions.
- Append open to the connected plug permissions array rather than directly
entering it into the snippet.
- Update unit tests to reflect new changes.
Signed-off-by: Isaac True <isaac.true@canonical.com>
* tests: add posix-mq to interfaces-many-snap-provided
* interfaces: posix-mq: replace function with strutil.ListContains
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: mock AppArmor feature in unit tests
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: add posix-mq test cases to base declaration tests
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: change test variable names to reflect test cases
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: improve comments and error messages
- Remove slot name from error messages
- Standardise comment format
- Additionally remove permission validation from BeforePreparePlug as the permissions are configured in the slot
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: add additional unit tests and rework permission parsing
- Test to ensure that the path attribute is a string
- Test that the permissions attribute only contains valid permissions
- Add functionality and unit test to ensure that the permissions attribute is a list of strings
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: rename path attribute to "posix-mq"
This change brings the interface in line with other interfaces which
also use paths.
Signed-off-by: Isaac True <isaac.true@canonical.com>
* Revert "interfaces: posix-mq: rename path attribute to "posix-mq""
This reverts commit 47b9e5f72a84b085784c6e21eeadf4adb26978b5.
* interfaces: posix-mq: add "posix-mq" label attribute
This adds an additional attribute called "posix-mq" which can be used to
help identify which plugs should connect to which slots, similar to the
`shared-memory` interface.
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: validate posix-mq attribute in BeforePreparePlug
Additionally add more unit tests to validate posix-mq label handling.
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: improve unit tests by checking for explicit errors
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: various code cleanups to improve readability
Signed-off-by: Isaac True <isaac.true@canonical.com>
* interfaces: posix-mq: fix unit test not being run
- Additionally check for an explicit error
Signed-off-by: Isaac True <isaac.true@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
This is needed for microceph as ceph-osd requires locking the block
device it's using. As that's a pretty common pattern for software
writing to block devices, it's reasonable to just extend the existing
interface to allow it.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This interface is intended to provide some additional permissions needed by the steam snap.
At present, this is primarily AppArmor and seccomp rules to allow Steam to launch pressure-vessel containers, which it uses to provide a consistent runtime environment to some games (at the moment mainly Windows games it runs under Proton/Wine). PV is based on Bubblewrap, as used by Flatpak and various other process sandboxes on GNOME systems.
Related to getting Steam games to run, I've added the futex_waitv syscall to the base template. Although the Ubuntu kernels don't yet support this syscall, we want to let Proton try to call it so it will fall back to the old futex API. As this has essentially the same security concerns as the existing futex syscalls, it seemed sensible to add it to the base template rather than the steam-support interface.
snap-seccomp knows about this syscall as of 15th April, when PR #11674 was merged.
* interfaces: add a steam-support interface with permissions needed to set up pressure-vessel containers
* interfaces/seccomp: add futex_waitv to the base template
This is a new syscall used to wait on multiple futexes at once, and
Wine/Proton will attempt to use it if the kernel supports it. Blocking
access prevents it from falling back to the other futex related
syscalls.
* tests: add steam-support to policy snap
* interfaces: limit proc access to same owner in steam interface
* interfaces: lock down the remount AppArmor rules for steam-support
* interfaces: allow pressure-vessel to mount tmpfs to mask certain directories
* interfaces/policy: add base declaration tests for steam-support
