search

canonical / steam-snap

Steam as a snap
72 stars 10 forks source link

Future incompatibility: AppArmor profile doesn't allow mounting /usr/share/ca-certificates/** into /etc/ssl/certs/ #397

Open smcv opened 1 month ago

smcv commented 1 month ago

Ensure there isn't an existing issue for this and check the wiki

Current Behavior

A new version of pressure-vessel (https://repo.steampowered.com/pressure-vessel/snapshots/0.20240802.0/, not yet used in production Steam Linux Runtime builds) has a feature intended for developer use where it bind-mounts the host system's TLS CA certificates into the container. The Steam public beta currently activates this feature for the steamwebhelper unconditionally (this might change).

Snap's AppArmor profile does not allow this. Specifically, it doesn't allow mounting /oldroot/usr/share/ca-certificates/mozilla/*.crt onto /etc/ssl/certs/*.0.

We're using --ro-bind, but the AppArmor denial says failed flags match and flags="rw, rbind". I suspect this might be because bubblewrap has to implement this by bind-mounting the file read/write and then remounting it read-only?

Expected Behavior

This bind-mount should be allowed.

As with other AppArmor issues, I'd prefer the permissions in the profile to be as permissive as possible, subject to your security policy. For instance, if you have no problem with Steam being able to read /usr, then allowing any file from /oldroot/usr to be bind-mounted anywhere below /oldroot/etc would seem appropriate. It's not as if we are going to somehow gain write access to root-owned files this way...

Steps To Reproduce

  1. Unpack https://repo.steampowered.com/pressure-vessel/snapshots/0.20240802.0/pressure-vessel-bin.tar.gz somewhere
  2. PRESSURE_VESSEL_PREFIX=/path/to/pressure-vessel snap run steam

Environment

Ubuntu 24.04

gaming-graphics-core22 version

kisak-fresh (default)

Anything else?

No response

smcv commented 1 month ago

As with other AppArmor profile problems, a workaround will probably be included in pressure-vessel, but it doesn't really scale to avoid doing reasonable things just because we're running inside a Snap app that Valve explicitly doesn't support.

ashuntu commented 1 month ago

We're actively modifying snapd at the moment for Steam. The app armor restrictions are effectively going away, so if you're testing anything make sure you're using the edge channel of snapd since it will have our latest changes (WIP).

Specific implementation details can be found on snapd: https://github.com/canonical/snapd/blob/master/interfaces/builtin/steam_support.go (WIP).

And our initial context of the decision is here: https://github.com/canonical/steam-snap/issues/363#issuecomment-2112638139

smcv commented 1 month ago

The app armor restrictions are effectively going away, so if you're testing anything make sure you're using the edge channel of snapd since it will have our latest changes (WIP).

Sorry, I don't think I can do that. If Canonical is encouraging Ubuntu users to use steam-snap, and those Ubuntu users are generally expected to be using the stable/production/GA branch of snapd, then the only way I can establish whether a new version of a Steam component is going to cause user-visible regressions for Ubuntu users is by using the same version of snapd that they will be using today (as opposed to a preview of what they will be using in future).

After the permissive AppArmor profile lands in the stable snapd and steam-snap gains a dependency on it, we can stop caring about issues like this one and close them as resolved, but until then we still need to make sure we have workarounds, otherwise Ubuntu users are going to hit issues like this one and report them as being upstream Steam regressions.

ashuntu commented 1 month ago

Ah yeah, I meant more so that you're free to test on edge if you'd like to see what future compatibility is like, but yes workarounds will be definitely needed now until what is in edge is in stable. We'll also bump the assumed snapd version in the snap when snapd is stable as well.

We'll let you know when the permissive profile is in stable; it should be part of snapd 2.64.

github-actions[bot] commented 6 days ago

This is an automated message 🤖

Your issue has been marked as stale due to 30 days of inactivity. We value every contribution, but as a small team, we're focusing on active issues to ensure efficiency. Please respond with any updates or indicate that it's still relevant to keep this issue open 🔄. If there's no further activity in the next 30 days, the issue will be automatically closed ⏳.