Change SD-Core UPF snap confinement to classic

Hello,

Can we please change the sdcore-upf snap confinement from devmode to classic.

The User Plane Function (UPF) in a 5G network is the component responsible for routing user plane traffic. Here the source code uses DPDK and requires full network control to route packets. The current available plugs are not enough for it to function correctly (ref here).

Thank you,

The network-control interface should actually give you full capabilities to manage every aspect of the network stack. Is there anything missing that might need to be added to it additionally?

Note that classic confinement will only be granted to snaps that fit into one of the “supported” categories on:

Which category would your snap fit in ?

If we can find a way to use plugs and strictly confine the snap I would be happy but this hasn’t worked so far. With the following plugs enabled:

plugs:
  var-run:
    interface: system-files
    write:
    - /var/run/bessd.pid
    - /run/bessd.pid

apps:
  bessd:
    daemon: simple
    install-mode: disable
    command: bin/bessd-start
    plugs:
      - var-run
      - io-ports-control
      - network-control

We would get those apparmor logs

= AppArmor =
Time: 2024-02-01T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=2134867 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)

As for the category, I’m not sure where it fits. This is a 5G user plane network traffic router.

Well, did you actually connect the network-control interface using the snap connect... command ? It does not auto-connect …

Hi @ogra , yes I did connect the interfaces.

The snapcraft reference is here.

Those are the application logs:

2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: Failed to create thread for interrupt handling
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: FATAL: Cannot init interrupt-handling thread
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: EAL: Cannot init interrupt-handling thread
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: F0606 10:04:26.300964 2605238 dpdk.cc:172] rte_eal_init() failed: ret = -1 rte_errno = 1 (Operation not permitted)
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: *** Check failure stack trace: ***
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: F0606 10:04:26.305177 2605238 debug.cc:407] Backtrace (recent calls first) ---
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (0): /snap/sdcore-upf/x1/bin/bessd(+0x2012f2) [0x6246c9b982f2]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (1): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess8InitDpdkEi+0x72) [0x6246c9b98542]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (2): /snap/sdcore-upf/x1/bin/bessd(_ZN4bess10PacketPool18CreateDefaultPoolsEm+0x39) [0x6246c9bb6109]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (3): /snap/sdcore-upf/x1/bin/bessd(main+0x243) [0x6246c9b5f593]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (4): /lib/x86_64-linux-gnu/libc.so.6(+0x29d8e) [0x7849da2e3d8e]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (5): /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x7e) [0x7849da2e3e3e]
2024-06-06T10:04:26-04:00 sdcore-upf.bessd[2605238]: (6): /snap/sdcore-upf/x1/bin/bessd(_start+0x23) [0x6246c9b792c3]

And those are the snappy-debug logs:

= Seccomp =
Time: 2024-06-06T10:0
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.sdcore-upf.bessd pid=2608284 comm="eal-intr-thread" exe="/snap/sdcore-upf/x1/bin/bessd" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x70b9552e3531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

= AppArmor =
Time: 2024-06-06T10:0
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21759/usr/lib/snapd/snap-confine" pid=2608296 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)