Auto-connect of network control (Was: “How to have CAP_NET_RAW added to our binary?”)

a.garipov · November 10, 2020, 8:29am

Good day! We would like to request auto-connect of the network-control plug for our snap, adguard-home. It's an adblocking DNS server, so it should be able to bind to a device and wait for incoming connections on that device. We're ready to respond to any concerns.

Original message, minus a link, below:

Good day! I'm one of the developers of AdGuardHome, a privacy-enhancing DNS server. Starting with one of our recent releases we require the CAP_NET_RAW capability on Linux systems to listen UDP packets (DHCP, to be precise) on a particular interface through SO_BINDTODEVICE. We've added the network-manager plug, which seems to be the one we need, but that still doesn't seem to add the capability, as we get a “permission denied” error in our logs. With --devmode everything works as intended.

Are we missing something? Do we need some form of manual review? Thanks!

ogra · November 5, 2020, 1:43pm

network-manager is pretty much the opposite of what you are looking for, it gives you access to the dbus socket to talk to NM via dbus abstraction …

i think the network-control interface is providing CAP_NET_RAW … for the future though … just install the snappy-debug snap, run snappy-debug in one terminal and your application snap in another one and watch the output of snappy-debug, that usually makes useful suggestions about which interfaces you need.

a.garipov · November 5, 2020, 5:12pm

Thanks, this seems to work! We'll run some more validations and probably request auto-connect for that.

a.garipov · November 18, 2020, 9:45am

Good day! Is there any progress on this? Can we provide any additional information to speed up the process? Thanks!

alexmurray · November 25, 2020, 4:27am

network-control provides quite a bit of privilege - can you please show snappy-debug logs as suggested by @ogra above, when this interface is NOT connected - this will show what is denied as what interfaces can be used to allow that access - we can then determine the minimum privileges required as there may be a more suitable interface to use instead of network-control. Thanks.

a.garipov · November 30, 2020, 6:42pm

Thanks for the suggestion and sorry for the long wait! Here is the full output:

$ sudo snap run snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Nov 30 21:38:30
Log: apparmor="DENIED" operation="capable" profile="snap.adguard-home.adguard-home" pid=63397 comm="AdGuardHome" capability=13  capname="net_raw"
Capability: net_raw
Suggestions:
* adjust program to not require 'CAP_NET_RAW' (see 'man 7 capabilities')
* add one of 'firewall-control, network-control, network-observe' to 'plugs'
* do nothing if program otherwise works properly

^C
kernel.printk_ratelimit = 5
$

msalvatore · December 1, 2020, 5:49pm

Hi, @a.garipov. network-observe should also grant CAP_NET_RAW. Could you please test your snap with the network-observe interface and let us know if that solves your issue? If not, could you please post any denials you’re still getting?

a.garipov · December 2, 2020, 6:39pm

Something weird is happening. I removed the network-control plug, added the network-observe plug without connecting it, but the snap continued to work. It only stopped working when I manually disconnected the network-bind plug. Is there some form of cache that I need to clean? I've already restarted and disabled-enabled it a few times. I'm at a loss, sorry.

alexmurray · January 6, 2021, 3:55am

@a.garipov no there is no caching that I am aware of - can you please update the status on this? Is network-control still required/desired for this snap?

a.garipov · January 13, 2021, 10:35am

Sorry for a late response. I think the network-observe auto-connect, like @msalvatore proposed above, should do it for now.

emitorino · January 28, 2021, 2:54pm

@a.garipov, could you please update your request to reflect the new auto-connect for network-observe instead? Also, can you please confirm if your snap is working as expected so we can move fw with the voting process?

Thanks!

a.garipov · January 29, 2021, 7:17pm

Hello, @emitorino! I will be able to do both closer to Monday. Will reply after I’ve done so.

a.garipov · February 1, 2021, 9:27am

Hello again! I can’t seem to edit the original message. Perhaps this forum has a time limit for such things? Or requires additional permissions? If so, should I open a new request and simply close this one?

As for our adguard-home snap, it looks like our DHCP server works fine with network-bind and network-observe, including on the privileged ports.

alexmurray · February 9, 2021, 6:09am

+1 from me for auto-connect of network-observe for adguard-home (network-bind is already auto-connected so does not need a store declaration).

emitorino · February 16, 2021, 10:15am

+1 for me for auto-connect of network-observe for adguard-home since it will provide net_raw as needed.

+2 votes for, 0 votes against. granting auto-connect ofnetwork-observe to adguard-home. This is now live.