interfaces: switch steam to unrestricted seccomp profile
To match similar changes to apparmor, steam-support will no longer
restrict launched games with a seccomp profile. Steam still relies on an
internal sandbox system, and the interaction of the two sandboxes has
had ill effects historically, with broken features, degraded performance
(real-time scheduling) or extensive logging.
interfaces: transition steam_support to use allow all,
Steam needs very broad permissions, and needs to be able to run a
broad set of different games with different permissions requirements.
Steam updates often require an update to the permissions in the
steam_support interface.
To ease support and ensure a good user experience move steam_support
to a profile that allows all permissions. This will prevent the steam
snap from breaking when steam updates, or a new game is added
requiring permissions that are not covered.
For newer versions of apparmor (4.0.2 and later) use the "allow all,"
rule, which will dynamically expand to all supported permissions.
For older versions of apparmor use the set of apparmor rule classes
supported before apparmor 4.0.2.
Signed-off-by: John Johansen <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
sandbox/apparmor: mask allow all rule until apparmor 4.0.2
Compilation of allow all is broken in apparmor_parser until version
4.0.2 and later. Ubuntu 24.04 shipped with 4.0.0~beta3, and had an SRU
based on 4.0.1. Detect the version and mask the presence of allow all
unless apparmor parser 4.0.2, or newer, is used.
Signed-off-by: John Johansen <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
Revert "sandbox/apparmor: do not skip ABI 4.0 from host parser (#14167)" (#14223)
This reverts commit fa03549d4f81854852f20eafb80f2a6172947869.
We cannot use host AppArmor with 4.0 ABI as there's no control mechanism
to shield us from broken implementation of mqueue mediation class.
We look for the right version of apparmor parser and correctly not emit
the mqueue permission but since the host parser (4.0.0~beta3) looks at
host's ABI file which contains:
ipc {posix_mqueue {create read write open delete setattr getattr}
And similarly the kernel supports posix_mqueue, then the parser (with
the bug or without the bug) will correctly not emit any permissions
related to mqueue mediation class, while emitting the mediation class
root element, causing the kernel to rightfully deny operations:
As such we need to do one of two things to allow host apparmor to be
used in a world with re-executing snapd:
- Create our own ABI feature files that understand broken features and
mask them, so that from the point of view of the kernel mqueue
is _not_ mediated by the binary profile.
- Detect presence of 4.0 ABI but ignore it on known-broken parser
versions, effectively doing the same thing as the earlier approach
but without creating a new ABI file that only snapd uses (possibly
experiencing fewer bugs).
Signed-off-by: Zygmunt Krynicki <email address hidden>
interfaces,sandbox: transition steam to permissive apparmor profile (#14221)
* sandbox/apparmor: mask allow all rule until apparmor 4.0.2
Compilation of allow all is broken in apparmor_parser until version
4.0.2 and later. Ubuntu 24.04 shipped with 4.0.0~beta3, and had an SRU
based on 4.0.1. Detect the version and mask the presence of allow all
unless apparmor parser 4.0.2, or newer, is used.
Signed-off-by: John Johansen <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
* sandbox/apparmor: remove stray newline
Signed-off-by: Zygmunt Krynicki <email address hidden>
* interfaces: transition steam_support to use allow all,
Steam needs very broad permissions, and needs to be able to run a
broad set of different games with different permissions requirements.
Steam updates often require an update to the permissions in the
steam_support interface.
To ease support and ensure a good user experience move steam_support
to a profile that allows all permissions. This will prevent the steam
snap from breaking when steam updates, or a new game is added
requiring permissions that are not covered.
For newer versions of apparmor (4.0.2 and later) use the "allow all,"
rule, which will dynamically expand to all supported permissions.
For older versions of apparmor use the set of apparmor rule classes
supported before apparmor 4.0.2.
Signed-off-by: John Johansen <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
* sandbox/apparmor: add feature probe for io_uring mediation
Signed-off-by: Zygmunt Krynicki <email address hidden>
* interfaces/builtin: apply userns, mqueue and io_uring conditionally
Signed-off-by: Zygmunt Krynicki <email address hidden>
---------
Signed-off-by: John Johansen <email address hidden>
Signed-off-by: Zygmunt Krynicki <email address hidden>
Co-authored-by: John Johansen <email address hidden>
