Accessing modprobe inside a snap


#1

Hello All,

I have been building my snap in strict confinement and I’m supposed to use modprobe binary to load and unload the modules. But I couldn’t find any slot to access the modprobe binary

Kindly let me know if there any slot available for the same.

Thanks!


#2

It sounds like you’re after the kernel-module-control interface. That should give access to the tools, and the permissions those tools need.

Note however that use of the interface triggers manual review if you upload such a snap to the store. So it would help to know what you are planning.


#3
$ ls -l $(which modprobe)
lrwxrwxrwx 1 root root 9 Nov 12  2018 /sbin/modprobe -> /bin/kmod

there isnt actually a binary called modprobe :wink: only a symlink that executes the /bin/kmod binary (which is why you wont find an interface when explicitly searching for modprobe)

as james said, there is the kernel-module-control interface allowing the loading of modules but it is reserved for use in brand stores. so not only will your snap go into manual review but it will also very likely get denied to be uploaded to the global store when using this interface.


#4

Hello @jamesh and @ogra,

Thanks for the quick replies.

So is it not possible to ship with the strict confinement if we need to use modprobe?


#5

it is possible if you use a brand store …
snap packages run on a gazillion different distributions, each of them coming with its own kernel, how would you make sure your users even have the appropriate module installed with their kernel ?

brand stores are typically used by device manufacturers for Ubuntu Core images (thats only one of many use-cases for a brand store though) where they have full control over the device, what snaps are installed and what kernel modules are available.

perhaps you should provide a little more detail about what exactly you want to do with your snap, what module you want to load, where that module would be coming from etc.


#6

Hello @ogra,

Our snap is not a public snap. It’s a private one and it will be deployed in only one machine.

So, for this is it possible to upload with strict confinement ?


#7

I’ll leave that to some store person to answer, but to my knowledge there is no difference even for private snaps since they can always turn into public ones with a mouse click …