Fwupd snap, needed interfaces

A while back I tried to work on putting fwupd into a classic snap (Approval for fwupd classic snap). There was push back that this should be a regular snap.

I’ve done the work to get fwupd daemon and fwupdmgr building into the snap (see https://github.com/hughsie/fwupd/blob/wip/superm1/snapped-daemon/contrib/snap/snapcraft-stable.yaml), but I’ve hit several road blocks that I need help with.

  1. The PolicyKit rules associated with any client communication with the daemon aren’t loaded. So I can’t communicate with the daemon with anything other than root.
  2. I can’t find a way to bind mount the EFI system partition. For UEFI updates to work the EFI system partition needs to be accessible to the snap. On flatpak (https://github.com/hughsie/fwupd/blob/master/contrib/org.freedesktop.fwupd.json) we just add --filesystem=/boot and then the ESP is bind mounted.
  3. The ESRT needs to be accessible from the snap (/sys/firmware/efi/esrt)
  4. The client and daemon communication interface/plug isn’t automatically enabled. I had heard this might happen from the store, but I don’t know how to activate it.
  5. A new set of confinement rules to all the interfaces fwupd uses is needed.

From my perspective, 1, 2, and 3 are the most important as they would at least be a functional ‘devmode’ snap. As it stands today devmode doesn’t work for UEFI updates due to lack of access to those directories in the snap.

1 Like

The PolicyKit rules need to be copied out of the snap at install, similar to what we’ve proposed doing for gnome-shell search providers at GNOME Shell search providers in snaps

What about the bind mounting of the EFI system partition and the ESRT directories?

This needs a new security backend (eg, ‘polkit’) that would sit alongside apparmor, seccomp, kmod, udev, etc in interfaces/. Like @kenvandine mentioned, we would encode PolicyKit rules in the snapd interface code (in this case, for fwupd) and snapd would be responsible for writing those out to disk (eg, like it does for udev rules).

cmd/snap-confine needs to be updated to bind mount these into the snap

The fwupd interface AppArmor policy (interfaces/builtin/fwupd.go) needs to be updated to have this access.

There is a process for requesting this here: Process for aliases, auto-connections and tracks

These can be updated, likely in interfaces/builtin/fwupd.go, but maybe some accesses should be in other interfaces. This organization would happen during PR review.

I suggest the following approach:

  1. submit a PR for the polkit backend
  2. submit a PR to make the efi partition available to the snap
  3. submit a PR for the needed security policy updates (eg, esrt, etc)

The plan is to implement the changes to allow fwupd to work in strict mode and while that is happening, allow it to be a classic snap.

@superm1 There has been a proposed solution for polkit posted on the forum.
Allow snapped daemons to use polkit authorisation

1 Like