[revoked] Classic confinement request for the unofficial RyzenAdj snap

Lin-Buo-Ren · September 5, 2024, 4:41pm

Dear @reviewers, @advocacy team, and snappy @architects,

I would like to request classic confinement for my unofficial RyzenAdj snap(Should be under https://snapcraft.io/ryzenadj after the pending snap name registration), according to the process for reviewing classic confinement snaps.

Recipe source: https://gitlab.com/brlin/ryzenadj-snap

Reasonings

Requires write access to the /devices/pci0000:00/0000:00:00.0/config sysfs file

This utility adjusts power management settings for AMD Ryzen Mobile Processors. It requires write access to the /devices/pci0000:00/0000:00:00.0/config sysfs file to function.

$ sudo ryzenadj --info
pcilib: Cannot open /sys/bus/pci/devices/0000:00:00.0/config      
pcilib: Cannot open /sys/bus/pci/devices/0000:00:00.0/config      
pcilib: Cannot open /sys/bus/pci/devices/0000:00:00.0/config      
pcilib: Cannot open /sys/bus/pci/devices/0000:00:00.0/config      
pcilib: Cannot open /sys/bus/pci/devices/0000:00:00.0/config      
PCI Bus is not writeable, check secure boot
Faild to get SMU, SMU_TYPE: 0                                     
Unable to get MP1 SMU Obj                                         
Unable to init ryzenadj

snappy-debug output:

= AppArmor =
Time:  9月 06 00:39:19
Log: apparmor="DENIED" operation="open" class="file" profile="snap.ryzenadj.ryzenadj" name="/sys/devices/pci0000:00/0000:00:00.0/config" pid=379173 comm="ryzenadj" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

As a result, the snap is not likely to be strictly confined as of now and requires classic confinement.

Thanks in advance!

kyrofa · September 5, 2024, 5:05pm

Classic is not a pressure relief valve: it isn’t really meant to be used for cases where confinement WOULD work, except that an interface doesn’t currently cover the level of access needed. Classic is intended for applications that fit within a specific set of categories, to which you’ve already linked. In my view, this application doesn’t really fit into any of them, it just needs an interface that allows the access it requires. In other words, I’d say it falls into the “difficulty making strict confinement work” unsupported section. To be completely clear, I have not confirmed that the level of access required is not covered under an existing interface, but if that is the case, I’m sure the snapd team would be happy to entertain such a feature request.

alexmurray · September 6, 2024, 12:57am

@kyrofa is correct - for this case I suggest you look into using something like the custom-device interface which allows to declare a slot (and plug) in your app to provide this specific access.

Lin-Buo-Ren · September 6, 2024, 10:49am

Thanks for the advice, however, according to the documentation of the custom-device interface this interface is only supported on Ubuntu Core systems which are unlikely the packaged software’s target audience.

Lin-Buo-Ren · September 6, 2024, 5:56pm

Thanks for the correction! I tend to forget how classic confinement is meant to be used despite having the process document read several times.

I’ve filed a feature request post against snapd:

Lin-Buo-Ren · September 6, 2024, 5:57pm

Request revoked due to the app’s unsupported nature.

alexmurray · September 9, 2024, 1:14am

FWIW this interface can be used on classic systems, and it does say:

Under specific and appropriate circumstances, it is possible to define the slot directly from the consuming application itself, together with the plug, which is an acceptable approach for applications that will be widely distributed but support very specific hardware.

So I still think this could be a good solution (at least until a more specific interface is available in snapd)/

Lin-Buo-Ren · September 9, 2024, 4:30pm

Thanks for the info! I’ll check it out.