Auto-connect of network control (Was: “How to have CAP_NET_RAW added to our binary?”)

Good day! We would like to request auto-connect of the network-control plug for our snap, adguard-home. It's an adblocking DNS server, so it should be able to bind to a device and wait for incoming connections on that device. We're ready to respond to any concerns.

Original message, minus a link, below:

Good day! I'm one of the developers of AdGuardHome, a privacy-enhancing DNS server. Starting with one of our recent releases we require the CAP_NET_RAW capability on Linux systems to listen UDP packets (DHCP, to be precise) on a particular interface through SO_BINDTODEVICE. We've added the network-manager plug, which seems to be the one we need, but that still doesn't seem to add the capability, as we get a “permission denied” error in our logs. With --devmode everything works as intended.

Are we missing something? Do we need some form of manual review? Thanks!

network-manager is pretty much the opposite of what you are looking for, it gives you access to the dbus socket to talk to NM via dbus abstraction …

i think the network-control interface is providing CAP_NET_RAW … for the future though … just install the snappy-debug snap, run snappy-debug in one terminal and your application snap in another one and watch the output of snappy-debug, that usually makes useful suggestions about which interfaces you need.


Thanks, this seems to work! We'll run some more validations and probably request auto-connect for that.

Good day! Is there any progress on this? Can we provide any additional information to speed up the process? Thanks!

network-control provides quite a bit of privilege - can you please show snappy-debug logs as suggested by @ogra above, when this interface is NOT connected - this will show what is denied as what interfaces can be used to allow that access - we can then determine the minimum privileges required as there may be a more suitable interface to use instead of network-control. Thanks.

Thanks for the suggestion and sorry for the long wait! Here is the full output:

$ sudo snap run snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Nov 30 21:38:30
Log: apparmor="DENIED" operation="capable" profile="snap.adguard-home.adguard-home" pid=63397 comm="AdGuardHome" capability=13  capname="net_raw"
Capability: net_raw
* adjust program to not require 'CAP_NET_RAW' (see 'man 7 capabilities')
* add one of 'firewall-control, network-control, network-observe' to 'plugs'
* do nothing if program otherwise works properly

kernel.printk_ratelimit = 5

Hi, @a.garipov. network-observe should also grant CAP_NET_RAW. Could you please test your snap with the network-observe interface and let us know if that solves your issue? If not, could you please post any denials you’re still getting?

Something weird is happening. I removed the network-control plug, added the network-observe plug without connecting it, but the snap continued to work. It only stopped working when I manually disconnected the network-bind plug. Is there some form of cache that I need to clean? I've already restarted and disabled-enabled it a few times. I'm at a loss, sorry.

@a.garipov no there is no caching that I am aware of - can you please update the status on this? Is network-control still required/desired for this snap?

Sorry for a late response. I think the network-observe auto-connect, like @msalvatore proposed above, should do it for now.

@a.garipov, could you please update your request to reflect the new auto-connect for network-observe instead? Also, can you please confirm if your snap is working as expected so we can move fw with the voting process?


Hello, @emitorino! I will be able to do both closer to Monday. Will reply after I’ve done so.

1 Like

Hello again! I can’t seem to edit the original message. Perhaps this forum has a time limit for such things? Or requires additional permissions? If so, should I open a new request and simply close this one?

As for our adguard-home snap, it looks like our DHCP server works fine with network-bind and network-observe, including on the privileged ports.

+1 from me for auto-connect of network-observe for adguard-home (network-bind is already auto-connected so does not need a store declaration).

+1 for me for auto-connect of network-observe for adguard-home since it will provide net_raw as needed.

+2 votes for, 0 votes against. granting auto-connect ofnetwork-observe to adguard-home. This is now live.

1 Like