Classic Confinement Request for the wimlib Snap


#1

Dear @reviewers, I would like to request classic confinement for my snap wimlib (https://snapcraft.io/wimlib, not available currently due to pending review; source: https://github.com/Lin-Buo-Ren/wimlib-snap) according to the Process for reviewing classic confinement snaps.

Reasoning

Requires raw read/write access to internal storages’ device/partition block devices

For backup/restore/examine NTFS volumes

Thanks in advance!


#2

Regular bump…


#3

Can you give more details as to the access required?

@Wimpress, @popey and/or @evan - can one of you perform the other steps for vetting this snap?


#4

For example, one can use the sudo wimlib.wimcapture /dev/sdXN Windows10_20180927.wim command to back-up a Microsoft Windows C: drive/volume to a WIM image and restore it later using the sudo wimlib.wimapply Windows10_20180927.wim /dev/sdXN command. These two commands, in particular, require raw read/write access to internal storage devices’ block device.

Here’s an example output of the wimlib.wimcapture command:

$ sudo wimlib.wimcapture /dev/sda3 sda3.wim --compress=none
Capturing WIM image from NTFS filesystem on "/dev/sda3"
Scanning "/dev/sda3"

Excluding "/$Recycle.Bin" from capture
26 MiB scanned (896 files, 356 directories)      
Excluding "/pagefile.sys" from capture
9 GiB scanned (58807 files, 7341 directories)       
Excluding "/swapfile.sys" from capture

Excluding "/System Volume Information" from capture
31 GiB scanned (225927 files, 40757 directories)    
Archiving file data: 26 GiB of 29 GiB (90%) done
Archiving file data: 28 GiB of 28 GiB (100%) done

For other exposed commands such as wimlib.wiminfo Windows10_20180927.wim for querying information of a WIM image only regular file access is required, yet classic confinement can’t be constrained to certain app commands of a snap.


#5

@niemeyer - the access to the device files required by this classic request grants device ownership to the device, but the access is expected for this application. Can you comment on its suitability for classic?


#6

@Lin-Buo-Ren Hi,

Can you point us to the source code for the application?


#7

@niemeyer Sure, the upstream source code can be acquired at wimlib - Downloads and wimlib.net Git - wimlib/tree and the building recipe is located at wimlib-snap/snapcraft.yaml at master · Lin-Buo-Ren/wimlib-snap.


#8

@reviewers A week has passed, I would like to request the continuation of the vetting process.


#9

@niemeyer - hey, can you take another look at this?


#10

Here’s an example apparmor denial of running the wimlib.wimcapture command after making the snap strictly confined:

audit: type=1400 audit(1539365264.726:156): apparmor="DENIED" operation="open" profile="snap.wimlib.wimcapture" name="/dev/sda3" pid=17455 comm="wimcapture" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

#11

@niemeyer - ping, can you take another look at this?


#12

Ping @niemeyer - can you take another look at this?


#13

Ping @niemeyer - can you take another look at this? The requester answered your question.


#14

Ping @niemeyer or @pedronis - can you take look at this? The requester answered @niemeyer’s question.