swupd-client icon indicating copy to clipboard operation
swupd-client copied to clipboard

Published 20 hours ago verified publisher icon clearlinux

add a check for an /etc/swupd/picky_repair.d/*.whitelist (or similar) for whitelisting

Open inmanturbo opened this issue 4 years ago • 2 comments

Cheers everyone. I have a little idea here.I might have more to add here later. I just wanted to bounce this off you first. So I'm simply opening this issue so that we have a place to discuss it.

System hackers and rogue devs will constantly be pushing at the bounds of swupd and the stateless design. Of course you want to use it, but you also want to be able to harness it.

Currenty, whitelisting a file or directory for swupd can done by creating a config under /etc/swupd/ and adding it to the picky_whitelist here:

[repair]
# Any path completely matching the POSIX extended regular expression is ignored
# by --picky, matched directories get skipped (string value)
# Example: /var|/etc/machine-id
# Default: /usr/lib/modules|/usr/lib/kernel|/usr/local|/usr/src
#picky_whitelist=[RE]

And/or in the same file under [diagnose]. As is touched on here.

The Problem

  • Having the whitelist represented by a single posix string can be cumbersome and difficult to manage
  • Automatically updating the whitelist requires all sorts of sed magic

The Proposal

  • Include /etc/swupd/picky_diagnose.d/*.whitelist
  • Include /etc/swupd/picky_repair.d/*.whitelist
  • ensure swupd will follow symlinks

Users and admins can then easily automatically update their diagnose and repair whitelists with commands, scripts or policies by adding a symlink or file to their respective directories. i.e:

sudo mkdir -p /etc/swupd/{whitelists-available/,picky_repair.d/}

echo "/usr/lib/python" | sudo tee -a /etc/swupd/whitelists-available/python.whitelist

sudo ln -s /etc/swupd/whitelists-available/python.whitelist /etc/swupd/picky_repair.d/

Possibly more on this later. Thanks for taking a look at it and may all your coding be stress and bug free!

inmanturbo avatar Jun 14 '20 18:06 inmanturbo

Clear Linux is nice for the most part. The one thing that I dislike is swupd repair restoring GL libraries on a system with NVIDIA driver. I haven't tried this but added the config. My question is will filenames in the regex be ignored by repair?

[repair]
picky_whitelist=/usr/lib/modules|/usr/lib/kernel|/usr/local|/usr/src|/usr/lib/libGL.so.1|/usr/lib32/libEGL.so|/usr/lib32/libEGL.so.1|/usr/lib32/libEGL.so.1.0.0|/usr/lib32/libGLESv1_CM.so|/usr/lib32/libGLESv1_CM.so.1|/usr/lib32/libGLESv1_CM.so.1.1.0|/usr/lib32/libGLESv2.so|/usr/lib32/libGLESv2.so.2|/usr/lib32/libGLESv2.so.2.0.0|/usr/lib32/libGL.so|/usr/lib32/libGL.so.1|/usr/lib32/libGL.so.1.2.0|/usr/lib64/libEGL.so|/usr/lib64/libEGL.so.1|/usr/lib64/libEGL.so.1.0.0|/usr/lib64/libGLESv1_CM.so|/usr/lib64/libGLESv1_CM.so.1|/usr/lib64/libGLESv1_CM.so.1.1.0|/usr/lib64/libGLESv2.so|/usr/lib64/libGLESv2.so.2|/usr/lib64/libGLESv2.so.2.0.0|/usr/lib64/libGL.so|/usr/lib64/libGL.so.1|/usr/lib64/libGL.so.1.2.0|/usr/bin/nvidia-modprobe

It would be awesome for swupd repair to not break the NVIDIA driver installation. Above, added /usr/lib/libGL.so.1 (lib dir) because the NVIDIA driver install makes a symbolic link to /opt/nvidia/lib64/libGL.so.1 and not sure if repair will remove it. The other GL files under /usr/lib/{lib32,lib64} are removed during the NVIDIA driver installation and reside under /opt/nvidia/{lib32,lib64}.

My wish is for swupd repair, when repairing devpkg-mesa, to not restore the GL files on systems running the NVIDIA driver.

# lsmod | grep '^nvidia'
nvidia_drm             53248  6
nvidia_modeset       1183744  7 nvidia_drm
nvidia              19738624  307 nvidia_modeset
nvidiafb               53248  0

Thank you.

Edit: See this post. The NVIDIA driver provides a nice speedup.

Edit: List of files to not restore during swupd repair.

# from /usr/lib, symbolic link added during NVIDIA driver installation
/usr/lib/libGL.so.1 -> /opt/nvidia/lib64/libGL.so.1

# from /usr/lib32
libEGL.so        libGLESv1_CM.so        libGLESv2.so        libGL.so
libEGL.so.1      libGLESv1_CM.so.1      libGLESv2.so.2      libGL.so.1
libEGL.so.1.0.0  libGLESv1_CM.so.1.1.0  libGLESv2.so.2.0.0  libGL.so.1.2.0

# from /usr/lib64
libEGL.so        libGLESv1_CM.so        libGLESv2.so        libGL.so
libEGL.so.1      libGLESv1_CM.so.1      libGLESv2.so.2      libGL.so.1
libEGL.so.1.0.0  libGLESv1_CM.so.1.1.0  libGLESv2.so.2.0.0  libGL.so.1.2.0

Edit: Also do not remove /usr/bin/nvidia-modprobe. It is a critical file and where NVIDIA looks for it (i.e. running clinfo as a non-root user).

marioroy avatar Nov 25 '21 02:11 marioroy

+1 to this issue, would be nice to have the NVIDIA's drivers to coexist in Clear Linux OS.

Gui2Barbieri avatar Mar 30 '22 14:03 Gui2Barbieri