Good day! We would like to request auto-connect
of the network-control plug for our snap,
adguard-home. It's
an adblocking DNS server, so it should be able to bind
to a device and wait for incoming connections on that
device. We're ready to respond to any concerns.
Original message, minus a link, below:
Good day! I'm one of the developers
of AdGuardHome, a privacy-enhancing DNS server. Starting
with one of our recent releases we require
the CAP_NET_RAW capability on Linux systems
to listen UDP packets (DHCP, to be precise) on a particular
interface through SO_BINDTODEVICE. We've added
the network-manager plug,
which seems
to be the one we need, but that still doesn't seem to add
the capability, as we get a “permission denied” error in our
logs. With --devmode everything works
as intended.
Are we missing something? Do we need some form of manual
review? Thanks!
network-manager is pretty much the opposite of what you are looking for, it gives you access to the dbus socket to talk to NM via dbus abstraction …
i think the network-control interface is providing CAP_NET_RAW … for the future though … just install the snappy-debug snap, run snappy-debug in one terminal and your application snap in another one and watch the output of snappy-debug, that usually makes useful suggestions about which interfaces you need.
network-control provides quite a bit of privilege - can you please show snappy-debug logs as suggested by @ogra above, when this interface is NOT connected - this will show what is denied as what interfaces can be used to allow that access - we can then determine the minimum privileges required as there may be a more suitable interface to use instead of network-control. Thanks.
Thanks for the suggestion and sorry
for the long wait! Here is the full output:
$ sudo snap run snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Nov 30 21:38:30
Log: apparmor="DENIED" operation="capable" profile="snap.adguard-home.adguard-home" pid=63397 comm="AdGuardHome" capability=13 capname="net_raw"
Capability: net_raw
Suggestions:
* adjust program to not require 'CAP_NET_RAW' (see 'man 7 capabilities')
* add one of 'firewall-control, network-control, network-observe' to 'plugs'
* do nothing if program otherwise works properly
^C
kernel.printk_ratelimit = 5
$
Hi, @a.garipov. network-observe should also grant CAP_NET_RAW. Could you please test your snap with the network-observe interface and let us know if that solves your issue? If not, could you please post any denials you’re still getting?
Something weird is happening. I removed
the network-control plug, added
the network-observe plug without connecting
it, but the snap continued to work. It only
stopped working when I manually disconnected
the network-bind plug. Is there some form of cache
that I need to clean? I've already restarted
and disabled-enabled it a few times. I'm
at a loss, sorry.
@a.garipov no there is no caching that I am aware of - can you please update the status on this? Is network-control still required/desired for this snap?
@a.garipov, could you please update your request to reflect the new auto-connect for network-observe instead? Also, can you please confirm if your snap is working as expected so we can move fw with the voting process?
Hello again! I can’t seem to edit the original message. Perhaps this forum has a time limit for such things? Or requires additional permissions? If so, should I open a new request and simply close this one?
As for our adguard-home snap, it looks like our DHCP server works fine with network-bind and network-observe, including on the privileged ports.
