Affected by GO-2024-2468 and 4 other vulnerabilities

GO-2024-2468: snapd Race Condition vulnerability in github.com/snapcore/snapd

GO-2024-2906: CVE-2024-5138 in github.com/snapcore/snapd

GO-2024-3007: snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd

GO-2024-3008: snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd

GO-2024-3009: snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd

kmod

package

v0.0.0-...-0a0cebb Latest Latest Go to latest Published: Jan 14, 2025 License: GPL-3.0 Imports: 11 Imported by: 46

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/snapcore/snapd

Documentation ¶

Overview ¶

Package kmod implements a backend which loads kernel modules on behalf of interfaces.

Interfaces may request kernel modules to be loaded by providing snippets via their respective "*Snippet" methods for interfaces.SecurityKMod security system. The snippet should contain a newline-separated list of requested kernel modules. The KMod backend stores all the modules needed by given snap in /etc/modules-load.d/snap.<snapname>.conf file ensuring they are loaded when the system boots and also loads these modules via modprobe. If a snap is uninstalled or respective interface gets disconnected, the corresponding /etc/modules-load.d/ config file gets removed, however no kernel modules are unloaded. This is by design.

Note: this mechanism should not be confused with kernel-module-interface; kmod only loads a well-defined list of modules provided by interface definition and doesn't grant any special permissions related to kernel modules to snaps, in contrast to kernel-module-interface.

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Backend ¶

type Backend struct {
	// contains filtered or unexported fields
}

Backend is responsible for maintaining kernel modules

func (*Backend) Initialize ¶

func (b *Backend) Initialize(opts *interfaces.SecurityBackendOptions) error

Initialize does nothing.

func (*Backend) Name ¶

func (b *Backend) Name() interfaces.SecuritySystem

Name returns the name of the backend.

func (*Backend) NewSpecification ¶

func (b *Backend) NewSpecification(*interfaces.SnapAppSet, interfaces.ConfinementOptions) interfaces.Specification

func (*Backend) Remove ¶

func (b *Backend) Remove(snapName string) error

Remove removes modules config file specific to a given snap.

This method should be called after removing a snap.

If the method fails it should be re-tried (with a sensible strategy) by the caller.

func (*Backend) SandboxFeatures ¶

func (b *Backend) SandboxFeatures() []string

SandboxFeatures returns the list of features supported by snapd for loading kernel modules.

func (*Backend) Setup ¶

func (b *Backend) Setup(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error

Setup will make the kmod backend generate the needed system files (such as those under /etc/modules-load.d/ and /etc/modprobe.d/) and call the appropriate system commands so that the desired kernel module configuration will be applied. The devMode is ignored.

If the method fails it should be re-tried (with a sensible strategy) by the caller.

type Specification ¶

type Specification struct {
	// contains filtered or unexported fields
}

Specification assists in collecting kernel modules associated with an interface.

Unlike the Backend itself (which is stateless and non-persistent) this type holds internal state that is used by the kmod backend during the interface setup process.

func (*Specification) AddConnectedPlug ¶

func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedPlug records kmod-specific side-effects of having a connected plug.

func (*Specification) AddConnectedSlot ¶

func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedSlot records mount-specific side-effects of having a connected slot.

func (*Specification) AddModule ¶

func (spec *Specification) AddModule(module string) error

AddModule adds a kernel module, trimming spaces and ignoring duplicated modules.

func (*Specification) AddPermanentPlug ¶

func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error

AddPermanentPlug records mount-specific side-effects of having a plug.

func (*Specification) AddPermanentSlot ¶

func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error

AddPermanentSlot records mount-specific side-effects of having a slot.

func (*Specification) DisallowModule ¶

func (spec *Specification) DisallowModule(module string) error

DisallowModule adds a kernel module to the list of disallowed modules.

func (*Specification) DisallowedModules ¶

func (spec *Specification) DisallowedModules() []string

DisallowedModules returns the list of disallowed modules.

func (*Specification) ModuleOptions ¶

func (spec *Specification) ModuleOptions() map[string]string

moduleOptions returns the load options for each kernel module

func (*Specification) Modules ¶

func (spec *Specification) Modules() map[string]bool

Modules returns a copy of the kernel module names added.

func (*Specification) SetModuleOptions ¶

func (spec *Specification) SetModuleOptions(module, options string) error

SetModuleOptions specifies which options to use when loading the given kernel module.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL