Auto-connection of hardware-observe for webots [Was: Request for classic confinement: webots]

omichel · September 10, 2019, 8:50pm

We are developing webots (https://github.com/omichel/webots) and would like to provide a snap for it on Linux. I have created a snap with classic confinement which works fine locally and which I just pushed to snapcraft.io.

I tried hard to make it work with strict confinement, but failed mainly for the following reason: webots uses pcilib to read information on the graphics card (model, memory, etc. and deduce the OpenGL capabilities). Unfortunately, AppArmor doesn’t like it and prevents webots from reading this file in particular:

pcilib: Cannot open /sys/bus/pci/devices/0000:00:17.0/resource: Permission denied

I tried to add a plug in my snapcraft.yaml file, but that doesn’t help:

plugs:
  system-pci-read:
    interface: system-files
    read:
      - /sys/bus/pci/devices/0000:3b:00.0/resource
      - /sys/bus/pci/devices/0000:00:17.0/resource
      # - /sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/resource

apps:
  webots:
    plugs: [desktop, desktop-legacy, hidraw, joystick, wayland, unity7, x11, opengl, pulseaudio, home, network, system-observe, system-pci-read]
    desktop: usr/share/webots/resources/webots.desktop
    command: desktop-launch $SNAP/usr/share/webots/webots

Shall I give up with strict confinement and ask a review for a classic confinement? Or is there still any hope that webots could be allowed to read /sys/bus/pci?

ogra · August 28, 2019, 5:46pm

try simply using the hardware-observe plug for your app, that provides read access to /proc/bus/pci/*

omichel · August 29, 2019, 7:20am

Thank you for the hint. Unfortunately, it doesn’t help. I am still getting the very same error with the hardware-observe plug:

pcilib: Cannot open /sys/bus/pci/devices/0000:00:17.0/resource: Permission denied

ogra · August 29, 2019, 8:14am

well, is that filesystem node readable by the user executing the app ? interfaces only make the devices visible to your app, they do not mangle filesystem permissions of what you want to access.

omichel · August 29, 2019, 8:47am

Yes, I can:

$ cat /sys/bus/pci/devices/0000:00:17.0/resource
0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000
...

And my app when build in classic confinement can read it as well.
I get the error only in strict confinement (even with the hardware-observe plug).

ogra · August 29, 2019, 9:21am

hmm, this is weird, the interface has:

# files in /proc/bus/pci (eg, 'lspci -A linux-proc')
@{PROC}/bus/pci/{,**} r,

which should give you full read access to all the subdirs as i understand it … did you actually connect the plug after installing the snap using snap connect ... (it does not auto-connect) …

also … do you see any “DENIED” messages in syslog or journalctl ?

omichel · August 29, 2019, 9:58am

Yes, if I type: snap connect webots:hardware-observe, then it works! Thank you.

Sorry I am new to snap… I am not sure what this implies. Shall the user type this before they can start Webots? In such a case, it may be better to add this snap connect in the launcher of Webots, so that it is transparent to the user?

ogra · August 29, 2019, 10:18am

if this functionallity is really needed for your app you can turn this request for classic confinement into one for auto-connecting the hardware-observe interface … you can not do the connection from somewhere inside your snap (the purpose is to give the user control over what apps can do and what they can not, allowing the app developer to just connect would defeat that purpose)

it is either the manual snap connect ..., a graphical switch in the GUI software application (Ubuntu/GNOME software) or an approved auto connection that is managed by the store during installation of your snap.

ogra · August 29, 2019, 10:21am

see:

about the process …

omichel · August 29, 2019, 10:30am

I see. Thank you for the explanations.

Unfortunately, this functionality is really needed indeed as it helps to determine which OpenGL capabilities are available, including the amount of GPU RAM, before using them (choice of textures resolution, etc.).

However, I have now another problem to address (related to shared memory allocation and mapping) which I will try to solve using another plug.

So, I believe I need to prepare a snap with a strict confinement that fully works before I ask for auto-connecting the necessary plugs and provide an explanation for each of them.

So, if you agree, I will strike back on this post once everything is ready for review.

omichel · August 29, 2019, 12:03pm

Now that the hardware-observe problem is fixed, webots starts and displays the 3D view, the robot are running apparently properly. However, I get many warnings which look serious:

[0829/134159.941525:WARNING:stack_trace_posix.cc(704)] Failed to open file: /snap/core18/1074/lib/x86_64-linux-gnu/ld-2.27.so
  Error: Permission denied
[0829/134159.969768:WARNING:stack_trace_posix.cc(704)] Failed to open file: /snap/core18/1074/lib/x86_64-linux-gnu/ld-2.27.so
  Error: Permission denied
[40158:40178:0829/134159.995450:ERROR:zygote_host_impl_linux.cc(271)] Failed to adjust OOM score of renderer with pid 40188: Permission denied (13)
[40188:40188:0829/134207.381195:ERROR:broker_posix.cc(46)] Received unexpected number of handles
[40188:40188:0829/134207.381612:ERROR:command_buffer_proxy_impl.cc(101)] ContextResult::kFatalFailure: AllocateAndMapSharedMemory failed
[40188:40188:0829/134207.417918:ERROR:broker_posix.cc(46)] Received unexpected number of handles

Unfortunately I have no clue to address them. I googled a bit with these errors, but got no luck…

ogra · August 29, 2019, 12:59pm

install the snappy-debug snap … then run:

sudo journalctl --output=short --follow --all | sudo snappy-debug

then start your application from a second terminal. the debug tool should give suggestions about interfaces or possible changes to the app.

omichel · September 10, 2019, 2:28pm

I managed to get rid of most of the warnings and errors reported by snappy-debug. Remain only 4 warnings which I assume are harmless because the application behaves properly.

The only requirement I have for you is to enable auto-connection of the hardware-observe interface: snap connect webots:hardware-observe. This is really needed by the application to determine the model of the graphics card and adapt the OpenGL settings automatically from this information. Could that be an acceptable requirement?

I just pushed a new build of my app (webots) using snapcraft push for your review.

Here are the hopefully harmless warnings I get from snappy-debug:

kernel.printk_ratelimit = 0
= AppArmor =
Time: Sep 10 07:02:16
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/proc/31489/mem" pid=31489 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/31489/mem (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/mem'

= AppArmor =
Time: Sep 10 07:02:16
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/proc/31496/setgroups" pid=31496 comm="webots-bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/31496/setgroups (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/setgroups'

= AppArmor =
Time: Sep 10 07:02:17
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/proc/31497/mem" pid=31497 comm="QtWebEngineProc" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/31497/mem (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/mem'

= AppArmor =
Time: Sep 10 07:02:20
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/etc/openal/alsoft.conf" pid=31489 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /etc/openal/alsoft.conf (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'system-files (see https://forum.snapcraft.io/t/the-system-files-interface for acceptance criteria)' to 'plugs'

Please let me know what do you think.

jdstrand · September 10, 2019, 9:07pm

Great!

Sure. I’ve converted this topic into a request for hardware-observe auto-connect.

+1 to auto-connect hardware-observe. @reviewers - can others vote?

Revision 4 passed automated review.

omichel:

Here are the hopefully harmless warnings I get from snappy-debug:

kernel.printk_ratelimit = 0
= AppArmor =
Time: Sep 10 07:02:16
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/proc/31489/mem" pid=31489 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/31489/mem (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/mem'

‘man proc’ has this to say about this file:

       /proc/[pid]/mem
              This file can be used to access the  pages  of  a  process's  memory
              through open(2), read(2), and lseek(2).

              Permission  to  access this file is governed by a ptrace access mode
              PTRACE_MODE_ATTACH_FSCREDS check; see ptrace(2).

We’ve not allowed this access thus far since we can’t currently limit the access to the pids of the snap and the access could allow access to sensitive information between snaps and the system. You’d have to see why your snap is accessing this to be sure it is ok (it may try, discover it can’t and fallback to other behavior).

omichel:

= AppArmor =
Time: Sep 10 07:02:16
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/proc/31496/setgroups" pid=31496 comm="webots-bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/31496/setgroups (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/setgroups'

It sounds like the snap may be trying to setup a user namespace, since it is common for an application to write to this file to disable this syscall. If your application is otherwise behaving normally, this is safe to ignore since the snap sandbox will disable unsafe use of this syscall.

omichel:

= AppArmor =
Time: Sep 10 07:02:20
Log: apparmor="DENIED" operation="open" profile="snap.webots.webots" name="/etc/openal/alsoft.conf" pid=31489 comm="webots-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /etc/openal/alsoft.conf (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'system-files (see https://forum.snapcraft.io/t/the-system-files-interface for acceptance criteria)' to 'plugs'

As mentioned in snappy-debug, you can get rid of this either by using a layout or use of system-files. In this case, perhaps have the layout point to $SNAP/etc/openal.

omichel · September 11, 2019, 10:54am

Thank you for the detailed answer. It helps a lot. I believe there are fallbacks for all these attempts to read forbidden files. So, it shouldn’t affect the behavior of my app.

omichel · September 13, 2019, 7:49pm

I just uploaded a new release (5) which fixes a couple of little glitches of the previous one (4), including the execution and compilation of C/C++/Python and Java robot controllers. I still need the auto-connection of hardware-observe for this release. So, please @reviewers, check this latest version.

omichel · September 19, 2019, 7:53am

The first vote (+1) was cast by @jdstrand 8 days ago and no other vote came meanwhile. Shall we enter the 3 day extension period now? I am looking forward to see my app available on the snap store with the auto-connection working.

jdstrand · September 25, 2019, 5:55pm

Can other @reviewers please vote for auto-connecting hardware-observe?

roadmr · September 25, 2019, 6:16pm

+1 from me; auto-connect of hardware-observe makes sense and I don’t see another way of allowing the application to check for the existing graphics card. It also seems well-targetted and rather innocuous, so there.

Daniel

jdstrand · September 25, 2019, 9:40pm

2 votes for, 0 against. Granting auto-connection of hardware-observe. This is now live.