Including snapd in the openSUSE Factory branch

morphis · June 1, 2017, 4:05pm

Hey everyone,

we’re going to submit the snapd package to the openSUSE Factory branch soon. snapd is the central component of the snap ecosystem. See https://snapcraft.io/ for more details about snap & snapd. The package is available through the system:snappy:snapd repository on OBS for quite some time and went through various iterations.

There are a few things we need to solve before we can sent the package review request:

Passing the security review on #986050 to get the snap-confine utility added to the setsuid whitelist in openSUSE.
There were a few things found in the security review of the snap-confine code @zyga-snapd is currently working through and will push PRs to the upstream snap project real soon. We will backport those changes to the packaging tree in order to get them included as part of a stable snapd release.
Right now the package ships with an override for the setsuid bit for snap-confine until we have it hadded to the distro wide whitelist. This is a blocker for the merge into openSUSE Factory.
Discuss if we can use golang vendorization. We saw that packages like the ones for docker or kubernetes are using golang vendorization instead of packaging all dependencies into individual packages like Fedora is doing. The snapd package right now uses golang vendoring too and we would like to keep that unless there is any feedback that requires us to package each individual golang module into an individual package. For a complete list of all golang modules used by snapd have a look at the govendor configuration file.

Other than that the snapd packge is in a good shape.

If you’re interested please don’t be shy and reach out to @zyga-snapd or @morphis.

regards,
Simon

morphis · June 1, 2017, 4:06pm

For any readers: This serves as a template for me and @zyga-snapd to prepare the actual mail we’re going to send to the openSUSE Factory mailinglist.

zyga-snapd · June 1, 2017, 4:07pm

Can you please make this post a wiki?

morphis · June 1, 2017, 4:20pm

It is already a wiki

morphis · June 2, 2017, 5:29am

This is now sent out as https://lists.opensuse.org/opensuse-factory/2017-06/msg00053.html

zyga-snapd · June 2, 2017, 8:16am

I’ve been discussing this with @morphis and @jdstrand yesterday and there are a few patches we need to apply to snap-confine, in anticipation of another round of security review.

I will start with a regression test that ensures the desired behavior of privilege management code (UIDs/GIDs), follow that up with small refactoring that will also fix a bug we found and finish it with several larger comment blocks that explain the design of some non-obvious code.

zyga-snapd · June 7, 2017, 9:50am

In order to prepare for the reply to the review from the openSUSE security team I am working on a few branches for snap-confine. I will update this post as those get pushed / landed:

https://github.com/snapcore/snapd/pull/3428 – spread test ensuring that we drop privileges correctly

zyga-snapd · April 27, 2018, 2:00pm

I will revive this thread as we’ve started the process yesterday. There are many things to do still but we have good cooperation from SUSE developers. The system:snappy repository has been blessed as a devel repository that can directly contribute packages to the factory. We are not factory-fit yet though. There are several ongoing TODOs that need to be dealt with:

openSUSE’s apparmor init script does’t know about /var/lib/snapd/apparmor/profiles

Because of this apparmor profiles for snaps won’t work after reboot. I’ve talked with the apparmor maintainer there and I will try to propose a patch that does just enough for it to consider that directory. This will be generalised when rewritten apparmor init script (that distributions can actually agree on) is released.

polkit profiles need to be merged into the distribution

PolicyKit profiles cannot be shipped by individual packages and instead must go to the main distribution. I will get the details of exactly where this has to happen but the general process is that we need to file a bug and wait for it to be resolved.

security review of snap-confine and other parts of the sandbox

Packages cannot ship setuid root binaries themselves. We need to be white-listed after going through a security review. We attempted this once before but we need to restart the process. Since snapd has evolved quite a lot since then I will write a short document about the architecture of the system and how confinement is applied by the setuid helper.

Packaging warts to clean up

Those weren’t mentioned yet but I’m sure they will come up. I will deal with them as instructed by reviewers.

opensuse-snap-user · June 8, 2023, 2:57am

It has been 5 years, but it seems snapd still isn’t part of openSUSE Factory (https://build.opensuse.org/project/show/openSUSE:Factory). Is this still intended? What’s the current status of this endeavor?