[opensuse-factory] snapd for openSUSE
Hey everyone, we're going to submit the snapd package to the openSUSE Factory branch soon. snapd is the central component of the snap ecosystem. See https://snapcraft.io/ for more details about snap & snapd. The package is available through the system:snappy:snapd repository on OBS (https://build.opensuse.org/package/show/system:snappy/snapd) for quite some time and went through various iterations. There are a few things we need to solve before we can sent the package review request: * Passing the security review on #9860501 (https://bugzilla.opensuse.org/show_bug.cgi?id=986050) to get the snap-confine utility added to the setsuid whitelist in openSUSE. - There were a few things found in the security review of the snap-confine code @zyga is currently working through and will push PRs to the upstream snap project real soon. We will backport those changes to the packaging tree in order to get them included as part of a stable snapd release. - Right now the package ships with an override for the setsuid bit for snap-confine until we have it hadded to the distro wide whitelist. This is a blocker for the merge into openSUSE Factory. * Discuss if we can use golang vendorization. We saw that packages like the ones for docker or kubernetes are using golang vendorization instead of packaging all dependencies into individual packages like Fedora is doing. The snapd package right now uses golang vendoring too and we would like to keep that unless there is any feedback that requires us to package each individual golang module into an individual package. For a complete list of all golang modules used by snapd have a look at the govendor configuration file (https://github.com/snapcore/snapd/blob/master/vendor/vendor.json) Other than that the snapd package is in a good shape. If you're interested please reach out to Zygmund (in CC) or me. regards, Simon -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Le vendredi 02 juin 2017 à 07:13 +0200, Simon Fels a écrit :
Hey everyone,
we're going to submit the snapd package to the openSUSE Factory branch soon. snapd is the central component of the snap ecosystem. See https://snapcraft.io/ for more details about snap & snapd. The package is available through the system:snappy:snapd repository on OBS (https://build.opensuse.org/package/show/system:snappy/snapd) for quite some time and went through various iterations.
There are a few things we need to solve before we can sent the package review request:
* Passing the security review on #9860501 (https://bugzilla.opensuse.org/show_bug.cgi?id=986050) to get the snap-confine utility added to the setsuid whitelist in openSUSE.
- There were a few things found in the security review of the snap-confine code @zyga is currently working through and will push PRs to the upstream snap project real soon. We will backport those changes to the packaging tree in order to get them included as part of a stable snapd release.
- Right now the package ships with an override for the setsuid bit for snap-confine until we have it hadded to the distro wide whitelist. This is a blocker for the merge into openSUSE Factory.
IIRC the snaps talk at osc'17 last week ( https://www.slideshare.net/zk rynicki/snaps-on-open-suse/41), there are also some apparmor patches (which have been sent to upstream) which are needed to have proper security. Is it on your todo list ?
-- Frederic Crozat Enterprise Desktop Release Manager SUSE
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
IIRC the snaps talk at osc'17 last week ( https://www.slideshare.net/zk rynicki/snaps-on-open-suse/41), there are also some apparmor patches (which have been sent to upstream) which are needed to have proper security. Is it on your todo list ?
Yeah, there are people working on pushing all necessary patches for AppArmor to the upstream Linux kernel so we can have proper AppArmor confinement with a pure upstream kernel soon. However I am not sure where we are with this at the moment, but last I've heard was that we just miss a few smaller things after 4.12 is out. For now we will keep snapd on openSUSE in the so called forced-devmode which will deactivate strict confinement via AppArmor but just keeps the seccomp part enabled. Hope that helps. If you have any further questions, please let me know. regards, Simon -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Freitag, 2. Juni 2017, 10:01:31 CEST schrieb Simon Fels:
IIRC the snaps talk at osc'17 last week ( https://www.slideshare.net/zk rynicki/snaps-on-open-suse/41), there are also some apparmor patches (which have been sent to upstream) which are needed to have proper security. Is it on your todo list ?
Yeah, there are people working on pushing all necessary patches for AppArmor to the upstream Linux kernel so we can have proper AppArmor confinement with a pure upstream kernel soon. However I am not sure where we are with this at the moment, but last I've heard was that we just miss a few smaller things after 4.12 is out.
John Johansen [1] would probably disagree with "a few smaller things" ;-) The initial goal was 4.13, but as things look like now, 4.14 is the realistic target. I asked the kernel team to backport the patches so that we can have them in Leap 15. For more details, see https://bugzilla.opensuse.org/show_bug.cgi?id=1042082 and https://features.opensuse.org/323500 Note that those patches will also add several new AppArmor rule types which might need some profile updates. This is why I'd prefer to have them ready in Leap 15 - adding them in a minor release probably isn't a good idea.
For now we will keep snapd on openSUSE in the so called forced-devmode which will deactivate strict confinement via AppArmor but just keeps the seccomp part enabled.
I hope this comes with a very visible warning about the security implications ;-) Regards, Christian Boltz [1] John is one of the upstream AppArmor developers and works on getting the kernel patches upstreamed -- xslt, was? Wir kombinieren das Paradigma von awk mit der sprachlichen Eleganz von Cobol und den programmiertechnischen Verrenkungen von funktionalen Sprachen unter sorgfältiger Umgehung aller möglichen Vorteile. [Kristian Köhntopp] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Christian Boltz
-
Frederic Crozat
-
Simon Fels