Access to /dev/cpu/0/msr from a strict snap

toabctl · July 30, 2024, 8:42am

Hi,

I’m currently snapping snpguest. That code needs to access /dev/cpu/0/msr.

I tried to use the custom-device interface and my snapcraft.yaml looks like this:

name: snpguest
version: 0.5.1
grade: stable
confinement: strict
base: core22

slots:
  slot-cpu:
    interface: custom-device
    custom-device: dev-cpu
    devices:
      - /dev/cpu/0/msr

plugs:
  plug-cpu:
    interface: custom-device
    custom-device: dev-cpu

apps:
  snpguest:
    command: bin/snpguest
    plugs:
      - plug-cpu

parts:
  snpguest:
    plugin: rust
    source-depth: 1
    source-tag: 'v0.5.1'
    source-type: git
    source: https://github.com/virtee/snpguest

I’ll setup the connections via:

$ sudo snap connect snpguest:plug-cpu snpguest:slot-cpu
$ snap connections snpguest                            
Interface      Plug               Slot               Notes
custom-device  snpguest:plug-cpu  snpguest:slot-cpu  manual

But when I try to run the snpguest executable, it can not access the device node:

$ sudo snpguest ok                                     
[ FAIL ] - Error reading MSR: Failed to get bit values, Error Reading MSR
ERROR: One or more tests in snpguest-ok reported a failure
Error: One or more tests in snpguest-ok reported a failure

$ sudo snap run --shell snpguest                                  
# cat /dev/cpu/0/msr
cat: /dev/cpu/0/msr: Operation not permitted

Any hints how to resolve this? Or is classic the only way moving forward here?

mborzecki1 · July 30, 2024, 9:09am

You’ll need to add rules for tagging the device by udev such that it’s allowed within the sandbox. Likely something like this:

udev-tagging:
   - kernel: msr[0-9]
     subsystem: msr

Do you need write access to the device as well? If not then maybe we could simply extend hardware-observe.

toabctl · July 30, 2024, 10:44am

Tried this and a couple of other things together with @mborzecki1 but looks like it’s currently not possible to use the custom-device interface to get access to /dev/cpu/0/msr .

mborzecki1 · July 30, 2024, 11:33am

I’ve filed a bug and we’ll try to address this in snapd. TLDR, with the way validation of custom-device works, it is not possible to declare a slot such that it’s both valid and results in correct udev rules being generated for accessing /dev/cpu/[0-9]*/msr.