interfaces: Add new systemd-user-control interface #13920
Conversation
|
Everyone contributing to this PR have now signed the CLA. Thanks! |
|
For the record I did sign the CLA. I guess the check went through before it validated or such. |
pedronis
added
the
Needs security review
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
2 times, most recently
from
83d17c5
to
9cb30fe
Compare
There was a problem hiding this comment.
This definitely needs careful attention from security. While it might be a bit contentious, it may still be the best way forward given the way different desktop environments are increasing their reliance on systemd as a user service manager.
Some other general points:
- If the interface is focused on systemd access, then the name should reflect that. Maybe
systemd-user-controlorsystemd-control. - It might make sense to go with
systemd-controland have a plug attribute to say whether the snap wants access to the system or user instance of systemd. This might be worth doing even if we only have support for the user instance initially.
There was a problem hiding this comment.
The new desktop-session-control interface allows to launch arbitrary services via the StartUnit method against org.freedesktop.systemd1.Manager (see https://www.freedesktop.org/software/systemd/man/latest/org.freedesktop.systemd1.html) - and hence run anything outside of confinement. I am not sure this fits with the existing snapd confinement model. The only similar thing we have at the moment is the desktop-launch interface - but this only allows to launch other snaps and this launching is mediated by snapd. Whereas this proposed interface is able to launch anything, outside of any mediation by snapd.
So at the bare minimum this interface needs to be super-privileged - BUT even then I am not sure if it fits in the existing paradigm for snapd. @pedronis can you comment?
The changes to shutdown, system-observe and upower-observe all seem reasonable though.
Yes indeed. Upstream desktop projects are moving to systemd to drive session startup.
So I tried going the Also on the implementation side it led to more complexity and more code than having two separate interfaces sharing the common parts. So I backtracked to just |
There was a problem hiding this comment.
I had a look at the new interface as well as at the other changes. I think the new interface should be split out to a separate PR so that security can focus on that part and we can arrive on a conclusion.
In the end the new interface also needs to be documented on the forum, if that's already done please ignore this part of the reivew.
I extracted the commits unrelated to
I'll do that last once the dust settle though, it changed drastically once already. |
There was a problem hiding this comment.
Adding to the concerns of @jhenstridge @alexmurray I am a bit worried about the impact of supporting StartUnit and StartTransientUnit in the new desktop-session-control interface.
snapd and snap run depends on StartUnit and StartTransientUnit for monitoring and resource control which would cause two annoyances:
- Naming conflicts of transient cgroups will be possible which would interfere with snapd (especially refreshes)
- Snaps will always be started in a two level nested transient cgroup (one for KDE and the other for snapd)
- I am not sure about the performance impact or side effects of this
@pedronis opinion on this is definitely needed.
ZeyadYasser
added
the
Needs Samuele review
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
6b64829
to
617caac
Compare
|
For the record, I just rebased on latest master. I also made sure there was only one commit related to the introduction of the systemd-user-control interface. Should make it all easier to review. |
This wasn't the case yet, it's now done: |
Indeed, it opens the door to this. Note however that the consensus seems to be to not make this interface widely available but only for a couple of desktop session snaps. I wouldn't expect those to actively seek such naming conflicts in practice (on the contrary).
Are you sure about this second claim? Indeed I see ways where this could be possible but I don't think this is as much a given as your "always" seems to imply. At least in practice I don't think I'm seeing this with the KDE Plasma session we've been working on. Snap related cgroups didn't get extra nesting AFAICT from systemd-cgls. If you want me to test extra things to check this further feel free to ask I'll gladly try. |
There was a problem hiding this comment.
To help with getting this approved, it would be useful to know what the various systemd methods are being used for. Looking at the AppArmor, it looks like there's roughly four categories:
SetEnvironment,UnsetEnvironment, andUnsetAndSetEnvironment: I'd assume this is primarily to communicate variables likeDISPLAYandWAYLAND_DISPLAYto other processes in the session that are not directly run by the shell.
2.Reload,ListUnitFiles, andListUnitFilesByPatterns: introspect what units exist in the session.ResetFailedandStartUnit: start services/targets installed on the system. Maybe to phase parts of the startup, or manage Xwayland startup? Also, would it make sense to includeStopUnitandRestartUnithere?StartTransientUnit: I'm guessing that this is for application launch, and is probably the most contentious as it directly supports arbitrary code execution. Would thedesktop-launchinterface allow you to do without this one? We've got some patches in the core-desktop snapd branch to structure desktop files for snaps so that running theirExecline will work from a snap that plugs this interface.
If we can eliminate (4) and have a rationale for the others, I think it will be much easier to sell this interface.
Correct. This is done by the bootstrap process to push its environment to be available to other processes (it's a bit more than
Correct. This is exactly what it's used for.
Yes, this is mainly for the bootstrap process to
Indeed, makes sense when not on the happy path. I'll add those.
Right now the Here is the rub though: It's unclear how long the fork path will stay in place, if it gets fully decommissioned the workaround I'll test will be rendered useless.
Hopefully I answered what you had in mind. |
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
617caac
to
655c33b
Compare
|
Alright, managed to get it working without |
er-vin
changed the title
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
655c33b
to
dd99661
Compare
|
The approach requires additional discussion, marked block until we have feedback. |
|
Other than this, this plug has another usecases. For apps like system monitors. This plug still needs some for methods to be added though, but still this would be really helpful. Instead they would come up and ask for classic confinement as seen in the forum. cc @alexmurray https://forum.snapcraft.io/t/classic-confinement-request-for-mission-center/40451/25 |
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
dd99661
to
fed12a9
Compare
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
fed12a9
to
d6d6435
Compare
This is meant to support desktop sessions boots fully driven by systemd and D-Bus activation on the user session.
er-vin
force-pushed
the
improve-systemd-driven-desktop-support
branch
from
d6d6435
to
f99d32a
Compare
jhenstridge
changed the title
|
Needs more discussion |
There was a problem hiding this comment.
I don't know if there are remaining discussions to be had butfrom my point of view, this looks fine as a super-privileged interface. I am not aware of details as to which set of methods exactly is needed so I trust other reviewers and the original author on this.
I had a look at tests and test failures and nothing particular stands out.
This is necessary to get a Plasma desktop to boot fully confined on an Ubuntu Core base. This is about adding a new interface for better support of a systemd + D-Bus activation session startup (requires listing and activating units)