hw-assign and oem assign are inconsistent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Won't Fix
|
High
|
Unassigned |
Bug Description
snappy hw-assign currently:
* adds a udev rule to /etc/udev/rules.d
* adds a specific apparmor write-path for the device (eg, /dev/foo)
* adds a read-path for /run/udev/data/*
oem assign currently:
* adds a udev rule to /etc/udev/rules.d
* adds a generic apparmor write-path for all devices (ie, /dev/**)
* adds a read-path for /run/udev/data/*
Step '2' in the above is inconsistent and when combined with the added udev rule, it causes confusion and a different security mechanism to be used. With hw-assign, the 'needle check' will fail in the launcher and a cgroup will not be used and instead rely on apparmor. With oem assign, the 'needle check' passes in the launcher and a cgroup is used. In both cases, udev tags are used and added to the system, but udev tags are only needed with cgroups.
This inconsistency was introduced in r415 (https:/
Unless I am missing something, either:
* hw-assign should *not* add a udev rule to /etc/udev/rules.d or the read-path for /run/udev/data/* (ie, revert r415)
* hw-assign should instead of adding a specific apparmor write-path, add the generic apparmor write-path for all devices (ie, /dev/**)
For consistency, the 2nd approach seems most correct, but the former would be ok too.
This does not constitute a security vulnerability because in both cases hardware access is mediated.
Changed in snappy: | |
status: | Triaged → Won't Fix |
I think we need to go with option (2), i.e. have hw-assign use the /dev/** and generate a matching udev-rule. However I think there is another bug here where snappy will just override the existing udev rule if you run hw assign two times for the same app (e.g. /dev/video and /dev/dsp). That should probably also get fixed in the process.