Auto-connect of network control (Was: “How to have CAP_NET_RAW added to our binary?”)

Good day! We would like to request auto-connect of the network-control plug for our snap, adguard-home. It's an adblocking DNS server, so it should be able to bind to a device and wait for incoming connections on that device. We're ready to respond to any concerns.

Original message, minus a link, below:


Good day! I'm one of the developers of AdGuardHome, a privacy-enhancing DNS server. Starting with one of our recent releases we require the CAP_NET_RAW capability on Linux systems to listen UDP packets (DHCP, to be precise) on a particular interface through SO_BINDTODEVICE. We've added the network-manager plug, which seems to be the one we need, but that still doesn't seem to add the capability, as we get a “permission denied” error in our logs. With --devmode everything works as intended.

Are we missing something? Do we need some form of manual review? Thanks!

network-manager is pretty much the opposite of what you are looking for, it gives you access to the dbus socket to talk to NM via dbus abstraction …

i think the network-control interface is providing CAP_NET_RAW … for the future though … just install the snappy-debug snap, run snappy-debug in one terminal and your application snap in another one and watch the output of snappy-debug, that usually makes useful suggestions about which interfaces you need.

2 Likes

Thanks, this seems to work! We'll run some more validations and probably request auto-connect for that.

Good day! Is there any progress on this? Can we provide any additional information to speed up the process? Thanks!

network-control provides quite a bit of privilege - can you please show snappy-debug logs as suggested by @ogra above, when this interface is NOT connected - this will show what is denied as what interfaces can be used to allow that access - we can then determine the minimum privileges required as there may be a more suitable interface to use instead of network-control. Thanks.