Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should allow running programs from /usr/lib and /usr/libexec #227

Closed
smcv opened this issue May 2, 2023 · 3 comments
Closed

Should allow running programs from /usr/lib and /usr/libexec #227

smcv opened this issue May 2, 2023 · 3 comments
Labels
type/bug Something isn't working

Comments

@smcv
Copy link

smcv commented May 2, 2023

Describe the bug

Please see ValveSoftware/steam-runtime#586, which is a broader issue in which a user reports that Dota 2 (in a Steam Linux Runtime container) doesn't work in the Snap-packaged version of Steam.

The part I'm referring to in this particular issue report is:

        "error" : "Failed to execute child process “/usr/libexec/steam-runtime-tools-0/i386-linux-gnu-detect-lib” (Permission denied)"
        "error" : "Failed to execute child process “/usr/libexec/steam-runtime-tools-0/i386-linux-gnu-detect-platform” (Permission denied)"

To Reproduce
I've been unable to start Steam as a Snap app successfully myself, but presumably something like this:

Install and run Steam as a Snap app. Retrieve Steam -> Help -> System Information.

Expected behavior
Diagnostic programs in the Steam Linux Runtime container's /usr/libexec/ should be runnable. We don't currently install diagnostic programs into /usr/lib, but we might in future, and if we do, those should be runnable too.

In fact https://github.com/snapcore/snapd/blob/master/interfaces/builtin/steam_support.go appears to allow running anything matching /usr/bin/** or /usr/sbin/**, but not /usr/libexec/** or /usr/lib/**.

Granting ixr access to all of /usr would be a lot more future-proof: we cannot predict what pressure-vessel will need to do to accommodate future OSs, app frameworks and games. There is no security benefit in preventing access to any of this - the same files can be accessed via $HOME anyway - so the only thing that's being achieved by having such a fine-grained AppArmor profile is to stop future versions of Steam from working reliably.
@smcv smcv added the type/bug Something isn't working label May 2, 2023
@ashuntu ashuntu mentioned this issue May 3, 2023
Merged
mvo5 pushed a commit to canonical/snapd that referenced this issue May 15, 2023
@ashuntu
steam_support: make libexec and lib files executable #12794
bab45e8 
Allows files in `/usr/libexec` and `/usr/lib` to execute.

See canonical/steam-snap#227 for context.
@kenvandine
Copy link
Collaborator

@alexmurray what are your thoughts on allowing ixr for /usr in the steam-support interface as a means to future proof the steam snap?

@alexmurray
Copy link

@kenvandine I don't see any good reason to not allow such a change - AFAIU this content is all controlled via steam and it could just as easily put something into /usr/libexec as /usr within the pressure-vessel container so I think this would be a reasonable change.

@ashuntu ashuntu mentioned this issue May 16, 2023
Merged
@ashuntu
Copy link
Collaborator

ashuntu commented May 24, 2023

canonical/snapd#12823 was merged and should be live in snapd edge.

@ashuntu ashuntu closed this as completed May 24, 2023
alexmurray pushed a commit to alexmurray/snapd that referenced this issue Oct 17, 2023
@ashuntu @alexmurray
steam_support: make libexec and lib files executable canonical#12794
079296b 
Allows files in `/usr/libexec` and `/usr/lib` to execute.

See canonical/steam-snap#227 for context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kenvandine @alexmurray @smcv @ashuntu