Classic confinement for bcachectl

rafalop · October 23, 2023, 7:06am

bcachectl deals with bcache devices. it needs access to various system level dirs, some could be accessed with interfaces/layouts (eg. config files in /etc, and block devices), but there are many that cannot. For example, it makes heavy use of bcache kernel interfaces in /sys/block//bcache (read and write). These are not known in advance since the device name is not known in advance and changes from system to system.

sahnaseredini · October 30, 2023, 12:08pm

Hey @rafalop, according to Process for reviewing classic confinement snaps, Classic requests should fall under at least one of the supported categories. Could you please clarify if bcachectl fits within any of the supported categories? Thanks.

rafalop · October 30, 2023, 11:06pm

I cannot see that it fits in any supported category. It is a low level system level tool requiring write access to files in /dev, and also files in /sys that are not known in advance of invoking the tool, so I cannot use the system files interface for this reason.

Although it does not fit in a category that I can see, it does fit the mentioned criteria:

"This lists some criteria that might require classic (non-exhaustive):

access to files on the host outside the snap’s runtime (eg, /usr) …"

ie. bcachectl needs access to files on the host outside the snap’s runtime (/dev/, /sys) in order to be able to manage bcache devices.

sahnaseredini · November 1, 2023, 12:39pm

After having a conversation with the team (@alexmurray), and since the snap does not fits in any supported category for classic confinement, we recommend getting in touch with the snapd team and discuss the issue with them further (e.g. the possibility of solving this issue with a potentially new interface). Thanks.

emitorino · January 2, 2024, 7:50pm

@rafalop hey,

Did you have a chance to discuss this request with the snapd team as suggested?

rafalop · January 3, 2024, 8:55am

@emitorino yes, they recommended that I submit a new interface (PR) for snapd. I started working on it but encountered some issues during testing it and haven’t had a chance to finish.

emitorino · January 3, 2024, 4:04pm

@rafalop thanks for the status update. Ping us here if you need anything from the reviewers team.

I will keep this request open in the meantime.

Thanks!

emitorino · January 25, 2024, 4:28pm

Hey @rafalop ,

Did you make any progress with the interface PR? Thanks!

rafalop · January 28, 2024, 11:02pm

hello @emitorino , i submitted PR over the weekend. can you help me get it reviewed?

https://github.com/snapcore/snapd/pull/13523

emitorino · March 15, 2024, 4:59pm

@rafalop apologize for the delay.

I see @alexmurray left some comments and then you also answered… so pinging @alexmurray again to see if he can continue the security review. Also @jslarraz might be able to help .

Thanks!