AppArmor denial in interface hook

I have the following setup:

• network-manager snap from the store
• my snap which needs to create a WiFi connection through nmcli
• Ubuntu Core system

As discussed in this thread, nmcli is bundled in my snap. Since The network-manager interface is not auto-connected, I’m running snap connect my-snap:network-manager network-manager:service first, and if I then run my-snap.setup (which calls a nmcli command to create the connection), everything works as expected.

I would like to shave off the manual my-snap.setup call though, and found out about interface hooks. To me it sounds like connect-plug<interface name> would allow me to run the nmcli command after the interface has been connected and all permissions granted. My code:

# snap/hooks/connect-plug-network-manager
#!/bin/sh
# set -e
$SNAP/usr/bin/nmcli c add ... # connection setup command, I also tried with just nmcli

However, running snap connect my-snap:network-manager network-manager:service results in this AppArmor error:

error: cannot perform the following tasks:
- Run hook connect-plug-network-manager of snap "my-snap" (run hook "connect-plug-network-manager": (process:2394): nmcli-CRITICAL **: Error: Could not create NMClient object: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.1630" (uid=0 pid=2394 comm="nmcli c add type wifi ifname * con-name glancrsetu") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.3" (uid=0 pid=1306 comm="/snap/network-manager/379/usr/sbin/NetworkManager ").)

I tried adding the network-manager interface to the hooks interfaces – though it should be granted by the time the hook is running:

# snapcraft.yaml
hooks:
  install:
    plugs: [network]
  connect-plug-network-manager:
    plugs: [network-manager]

I checked the AppArmor rules in like @jdstrand suggested in Access nmcli command from network-manager via interface, and while my-snap.setup shows up as a peer, the hook does not.

Questions

1. Can I run commands which depend on a manually-connected interface in the connect-plug- interface hook for this very connection?
2. Do I need to specify the required interfaces for interface hooks in snapcraft.yaml?

What’s the generated snap.yaml like? Could you post that?
Also, snap version from where you’re trying it.

Thanks for the prompt reply.

The generated snap.yaml:

name: my-snap
version: 0.3.1
summary: '...'
architectures:
- armhf
confinement: strict
grade: devel
hooks:
  connect-plug-network-manager:
    plugs:
    - network-manager
  install:
    plugs:
    - network
apps:
  backend:
    command: command-backend.wrapper
    daemon: simple
    plugs:
    - network
    - network-bind
    - network-manager
  dns:
    command: command-dns.wrapper
    daemon: simple
    plugs:
    - network
    - network-bind
  nginx:
    command: command-nginx.wrapper
    daemon: forking
    plugs:
    - network
    - network-bind
  setup:
    command: command-setup.wrapper
    plugs:
    - network-manager
layout:
  $SNAP/api/Gemfile:
    bind-file: $SNAP_DATA/rails/Gemfile
  $SNAP/api/Gemfile.lock:
    bind-file: $SNAP_DATA/rails/Gemfile.lock
  $SNAP/api/db:
    bind: $SNAP_DATA/rails/db
  $SNAP/api/log:
    bind: $SNAP_DATA/rails/log
  $SNAP/api/tmp:
    bind: $SNAP_DATA/rails/tmp
  $SNAP/api/vendor:
    bind: $SNAP_DATA/rails/vendor

snap version output:

snap    2.36.3
snapd   2.36.3
series  16
kernel  4.4.0-1102-raspi2

Also tried with core --candidate so that snapd is at 2.37, but no success