Classic confinement request for hw-probe

linuxhw · September 15, 2018, 9:37pm

Hi,

I need classic confinement for hw-probe snap. See Process for reviewing classic confinement snaps.

I’ve tried to go strict with the following plugs:

plugs: [hardware-observe, mount-observe, network-observe, network-setup-observe, physical-memory-observe, system-observe, upower-observe, log-observe, home, broadcom-asic-control, opengl]

But snappy-debug.security reports:

= AppArmor =
Time: Sep 15 23:59:08
Log: apparmor="DENIED" operation="open" profile="snap.hw-probe.hw-probe" name="/sys/devices   /pci0000:00/0000:00:00.0/resource" pid=3042 comm="lspci" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/pci0000:00/0000:00:00.0/resource (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:00.0/resource'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/resource'

Also it doesn’t allow simple Perl script to run due to error:

= AppArmor =
Time: Sep 15 10:01:15
Log: apparmor="DENIED" operation="file_mmap" profile="snap.hw-probe.hw-probe" name="/usr/lib/x86_64-linux-gnu/perl-base/auto/Cwd/Cwd.so" pid=4996 comm="hw-probe" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
File: /usr/lib/x86_64-linux-gnu/perl-base/auto/Cwd/Cwd.so (mmap)

Caused by trivial use File::Copy; import in the script.

Thank you.

EDIT: We are now trying to make it strict. Most of the strict-compatibility issues have been fixed except access to hard drive smart attributes and /dev/mem.

ogra · September 17, 2018, 8:06am

are you sure that UID 1000 (your non-root user) has actual read permission for that file ? the hardware-observe interface grants already full access to that location but interfaces will indeed not change file or directory permissions (also, are you sure hardware-observe was actually connected when you ran the app ? it does not auto-connect).

linuxhw · September 17, 2018, 12:01pm

Manual connection of hardware-observe and other interfaces fixes the problem partially. How to fix second problem with loading of Perl base Cwd.so module? What interface can I use for that?

Thank you.

Lin-Buo-Ren · September 17, 2018, 12:04pm

You may alternate program behavior in runtime via the use of environment variables(if that program supports it).

Check if this launcher script work:

github.com

Lin-Buo-Ren/git-cola-snap/blob/feeb8ea892fbc59a17622397123e2078a22dd5fe/snap/launchers/perl-launch

#!/usr/bin/env bash
# This launcher setups environemnt required by Perl in snapped apps.
# 林博仁 © 2018

set \
	-o errexit \
	-o errtrace \
	-o nounset \
	-o pipefail

shopt \
	-s nullglob

paths_string_insert(){
	if test $# -ne 2; then
		printf -- \
			'%s: FATAL: Arugment quantity mismatch.\n' \
			"${FUNCNAME[0]}" \
			1>&2
		exit 1

This file has been truncated. show original

linuxhw · September 17, 2018, 1:18pm

The issue is to use Perl base Cwd.so module (and other modules) from outside the snap since I can’t ship whole Perl base distribution in the snap. I add shipped Perl modules to PERL5LIB in the snapcraft.yaml without the need to use any scripts: https://github.com/linuxhw/hw-probe/blob/master/snap/snapcraft.yaml

Thank you.

ogra · September 17, 2018, 1:23pm

So does that mean the clasasic confinement request can be closed ? (or probably turned into an interface auto-connection request instead (i.e. auto-connecting hardware-observe seems to make some sense for it)

jamesh · September 17, 2018, 1:26pm

The standard AppArmor template includes the following to support Perl modules:

# for perl apps/services
#include <abstractions/perl>
/usr/bin/perl{,5*} ixr,
# AppArmor <2.12 doesn't have rules for perl-base, so add them here
/usr/lib/@{multiarch}/perl{,5,-base}/**            r,
/usr/lib/@{multiarch}/perl{,5,-base}/[0-9]*/**.so* mr,

That last one is intended to allow executable mappings of .so modules. It doesn’t match /usr/lib/x86_64-linux-gnu/perl-base/auto/Cwd/Cwd.so though since auto doesn’t match [0-9]*. This seems like a bug in the security policy. @jdstrand: thoughts?

linuxhw · September 17, 2018, 1:37pm

One more question.

What interface should I plug to allow smartctl command to access /dev/sda?

smartctl -x /dev/sda
Smartctl open device: /dev/sda/ failed: Operation not permitted

The output of snappy-debug.security:

= AppArmor =
Time: Sep 17 16:22:23
Log: apparmor="DENIED" operation="open" profile="snap.hw-probe.hw-probe" name="/snap/core/5328/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21" pid=9120 comm="smartctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/core/5328/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Sep 17 16:22:23
Log: apparmor="DENIED" operation="open" profile="snap.hw-probe.hw-probe" name="/snap/core/5328/lib/x86_64-linux-gnu/libgcc_s.so.1" pid=9120 comm="smartctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/core/5328/lib/x86_64-linux-gnu/libgcc_s.so.1 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Sep 17 16:22:23
Log: apparmor="DENIED" operation="open" profile="snap.hw-probe.hw-probe" name="/snap/core/5328/lib/x86_64-linux-gnu/libc-2.23.so" pid=9120 comm="smartctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/core/5328/lib/x86_64-linux-gnu/libc-2.23.so (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Sep 17 16:22:23
Log: apparmor="DENIED" operation="open" profile="snap.hw-probe.hw-probe" name="/snap/core/5328/lib/x86_64-linux-gnu/libm-2.23.so" pid=9120 comm="smartctl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/core/5328/lib/x86_64-linux-gnu/libm-2.23.so (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

Thank you.

Lin-Buo-Ren · September 17, 2018, 2:15pm

Why not?

AFAICT currently there are no interfaces that allow access to internal block devices (yet), so this is a proper reason for classic confinement.

ogra · September 17, 2018, 2:16pm

while there is no interface that grants direct disk access, these messages from snappy-debug are extremely strange given it tries to open libs that it should always be allowed to read … perhaps @jdstrand (who has already been summoned above but is at a sprint this week i think) has an idea here why it thinks you should not be able to read libc or libm

linuxhw · September 18, 2018, 8:43am

Let’s go with classic confinement for now.

strict confinement cannot be used due to 3 remaining issues:

SMART attributes for hard drives cannot be collected for now. It’s very important for my current study: https://github.com/linuxhw/SMART
Perl base modules from /usr/lib/x86_64-linux-gnu/perl-base/auto/ are currently denied to load. This blocks execution of the program.
The tool is intended to collect hardware operability details and system logs from the outside system. If it runs in the strict mode then it always detects Ubuntu Core instead (from /etc/os-release). I need a way to get content of outer /etc/os-release somehow.

Thank you.

ogra · September 18, 2018, 9:02am

note that these perl modules might not exist in future core snaps, while (as @jamesh pointed out) currently a bug prevents you from using it, your snap should always ship all necessary bits in the snap anyway… there is no gurantee that perl-base will be in any future core snaps.

the system-observe interface provides access to /var/lib/snapd/hostfs/etc/os-release which is the host system os-release …

Regarding the SMART access, we probably need a new interface to provide this … this is up to @jdstrand to decide though …

linuxhw · September 19, 2018, 6:02am

I’ve included perl-base to the snap and now it works almost fine. So let’s make it strict with the hope to improve probes by smartctl and hdparm outputs someday: https://snapcraft.io/hw-probe

Can I request to auto-connect all required interfaces?

hardware-observe
mount-observe
network-observe
physical-memory-observe
system-observe
upower-observe
log-observe
kernel-module-control
raw-usb
home

Thanks a lot!

jdstrand · September 19, 2018, 8:34am

Most of the *-observe seem reasonable for this snap. Can you comment on the following:

why is physical-memory-observe required? This is quite an information leak
why is log-observe required?
why is kernel-module-control required? This granted device ownership to the snap?
why is raw-usb required?
why is home required?

Please give very specific details on the required accesses (eg, down to executed commands with arguments). I suspect there might be some improvements to existing interfaces…

linuxhw · September 19, 2018, 9:21am

why is physical-memory-observe required? This is quite an information leak

It’s not used anymore… Removing from the snap.

why is log-observe required?

The tool collects Xorg.0.log to check if graphics card works properly. It’s depersonalized before collecting. See https://github.com/linuxhw/hw-probe#privacy and https://github.com/linuxhw/hw-probe/blob/master/hw-probe.pl#L4856.

why is kernel-module-control required? This granted device ownership to the snap?

I’ve tried this interface to get output of lsmod command. It’s used to check if kernel modules are successfully loaded for particular hardware devices (e.g. if nvidia module is loaded and used by other modules). I don’t need to load any modules.

why is raw-usb required?

This is needed to get output of lsusb -v command to avoid the following error:

Couldn't open device, some information will be missing

why is home required?

The tool saves system analysis report to the HOME directory. User can refer to the report in future in the case of a system failure. I’m thinking about replacing it to SNAP_USER_COMMON and removing this dangerous interface from the snap. Is SNAP_USER_COMMON cleared after removing the snap?

Also the log Xorg.0.log can be found in the $HOME/.local/share/xorg/ directory in several Ubuntu versions, but it’s a rare case.

Thank you.

linuxhw · September 21, 2018, 8:55am

physical-memory-observe is required to get output of biosdecode. Adding it back to snap.

home is not needed anymore. Using SNAP_USER_COMMON instead.

Final list of required interfaces:

hardware-observe
mount-observe
network-observe
system-observe
upower-observe
log-observe
raw-usb
physical-memory-observe
opengl (due to What interface I need to run lsmod?)

Waiting for How to launch sudo snap in Ubuntu Software? to be solved to allow my snap to be launched from the graphical installer (Ubuntu Software).

Thank you.

jdstrand · September 24, 2018, 7:56pm

hardware-observe is meant to have some support for lsusb. What specific denials do you see when hardware-observe is connected but raw-usb is not?

linuxhw · September 25, 2018, 5:34am

hardware-observe + raw-usb vs hardware-observe lsusb diff:

No power consumption details
No Manufacturer names

Diff:

 --- lsusb.orig	2018-09-25 08:25:28.491309180 +0300
 +++ lsusb.new	2018-09-25 08:25:50.946069454 +0300
 @@ -1,3 +1,6 @@
 +Couldn't open device, some information will be missing
 +Couldn't open device, some information will be missing
 +
  Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet
  Device Descriptor:
    bLength                18
 @@ -10,8 +13,8 @@
    idVendor           0x80ee VirtualBox
    idProduct          0x0021 USB Tablet
    bcdDevice            1.00
 -  iManufacturer           1 VirtualBox
 -  iProduct                3 USB Tablet
 +  iManufacturer           1 
 +  iProduct                3 
    iSerial                 0 
    bNumConfigurations      1
    Configuration Descriptor:
 @@ -54,8 +57,6 @@
            Usage Type               Data
          wMaxPacketSize     0x0008  1x 8 bytes
          bInterval              10
 -Device Status:     0x0000
 -  (Bus Powered)
  
  Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
  Device Descriptor:
 @@ -69,9 +70,9 @@
    idVendor           0x1d6b Linux Foundation
    idProduct          0x0001 1.1 root hub
    bcdDevice            4.15
 -  iManufacturer           3 Linux 4.15.0-34-generic ohci_hcd
 -  iProduct                2 OHCI PCI host controller
 -  iSerial                 1 --
 +  iManufacturer           3 
 +  iProduct                2 
 +  iSerial                 1 
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
 @@ -103,30 +104,4 @@
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0002  1x 2 bytes
 -        bInterval             255
 -Hub Descriptor:
 -  bLength              11
 -  bDescriptorType      41
 -  nNbrPorts            12
 -  wHubCharacteristic 0x0002
 -    No power switching (usb 1.0)
 -    Ganged overcurrent protection
 -  bPwrOn2PwrGood        0 * 2 milli seconds
 -  bHubContrCurrent      0 milli Ampere
 -  DeviceRemovable    0x00 0x00
 -  PortPwrCtrlMask    0xff 0xff
 - Hub Port Status:
 -   Port 1: 0000.0103 power enable connect
 -   Port 2: 0000.0100 power
 -   Port 3: 0000.0100 power
 -   Port 4: 0000.0100 power
 -   Port 5: 0000.0100 power
 -   Port 6: 0000.0100 power
 -   Port 7: 0000.0100 power
 -   Port 8: 0000.0100 power
 -   Port 9: 0000.0100 power
 -   Port 10: 0000.0100 power
 -   Port 11: 0000.0100 power
 -   Port 12: 0000.0100 power
 -Device Status:     0x0001
 -  Self Powered
 \ No newline at end of file
 +        bInterval             255
 \ No newline at end of file

chipaca · September 25, 2018, 9:55am

can you also show us the denials you get with without raw-usb?

linuxhw · September 26, 2018, 4:44pm

Could you please explain the question. What’s the difference with the question Classic confinement request for hw-probe?

Thank you.