Open smcv opened 1 month ago
As with other AppArmor profile problems, a workaround will probably be included in pressure-vessel, but it doesn't really scale to avoid doing reasonable things just because we're running inside a Snap app that Valve explicitly doesn't support.
We're actively modifying snapd at the moment for Steam. The app armor restrictions are effectively going away, so if you're testing anything make sure you're using the edge channel of snapd since it will have our latest changes (WIP).
Specific implementation details can be found on snapd: https://github.com/canonical/snapd/blob/master/interfaces/builtin/steam_support.go (WIP).
And our initial context of the decision is here: https://github.com/canonical/steam-snap/issues/363#issuecomment-2112638139
The app armor restrictions are effectively going away, so if you're testing anything make sure you're using the edge channel of snapd since it will have our latest changes (WIP).
Sorry, I don't think I can do that. If Canonical is encouraging Ubuntu users to use steam-snap, and those Ubuntu users are generally expected to be using the stable/production/GA branch of snapd, then the only way I can establish whether a new version of a Steam component is going to cause user-visible regressions for Ubuntu users is by using the same version of snapd that they will be using today (as opposed to a preview of what they will be using in future).
After the permissive AppArmor profile lands in the stable snapd and steam-snap gains a dependency on it, we can stop caring about issues like this one and close them as resolved, but until then we still need to make sure we have workarounds, otherwise Ubuntu users are going to hit issues like this one and report them as being upstream Steam regressions.
Ah yeah, I meant more so that you're free to test on edge if you'd like to see what future compatibility is like, but yes workarounds will be definitely needed now until what is in edge is in stable. We'll also bump the assumed snapd version in the snap when snapd is stable as well.
We'll let you know when the permissive profile is in stable; it should be part of snapd 2.64.
This is an automated message 🤖
Your issue has been marked as stale due to 30 days of inactivity. We value every contribution, but as a small team, we're focusing on active issues to ensure efficiency. Please respond with any updates or indicate that it's still relevant to keep this issue open 🔄. If there's no further activity in the next 30 days, the issue will be automatically closed ⏳.
Ensure there isn't an existing issue for this and check the wiki
Current Behavior
A new version of pressure-vessel (https://repo.steampowered.com/pressure-vessel/snapshots/0.20240802.0/, not yet used in production Steam Linux Runtime builds) has a feature intended for developer use where it bind-mounts the host system's TLS CA certificates into the container. The Steam public beta currently activates this feature for the
steamwebhelper
unconditionally (this might change).Snap's AppArmor profile does not allow this. Specifically, it doesn't allow mounting
/oldroot/usr/share/ca-certificates/mozilla/*.crt
onto/etc/ssl/certs/*.0
.We're using
--ro-bind
, but the AppArmor denial saysfailed flags match
andflags="rw, rbind"
. I suspect this might be because bubblewrap has to implement this by bind-mounting the file read/write and then remounting it read-only?Expected Behavior
This bind-mount should be allowed.
As with other AppArmor issues, I'd prefer the permissions in the profile to be as permissive as possible, subject to your security policy. For instance, if you have no problem with Steam being able to read
/usr
, then allowing any file from/oldroot/usr
to be bind-mounted anywhere below/oldroot/etc
would seem appropriate. It's not as if we are going to somehow gain write access to root-owned files this way...Steps To Reproduce
Environment
gaming-graphics-core22 version
kisak-fresh (default)
Anything else?
No response