Good day! We would like to request auto-connect
network-control plug for our snap,
an adblocking DNS server, so it should be able to bind
to a device and wait for incoming connections on that
device. We're ready to respond to any concerns.
Original message, minus a link, below:
Good day! I'm one of the developers
of AdGuardHome, a privacy-enhancing DNS server. Starting
with one of our recent releases we require
CAP_NET_RAW capability on Linux systems
to listen UDP packets (DHCP, to be precise) on a particular
SO_BINDTODEVICE. We've added
to be the one we need, but that still doesn't seem to add
the capability, as we get a “permission denied” error in our
--devmode everything works
Are we missing something? Do we need some form of manual
network-manager is pretty much the opposite of what you are looking for, it gives you access to the dbus socket to talk to NM via dbus abstraction …
i think the network-control interface is providing CAP_NET_RAW … for the future though … just install the snappy-debug snap, run snappy-debug in one terminal and your application snap in another one and watch the output of snappy-debug, that usually makes useful suggestions about which interfaces you need.
Thanks, this seems to work! We'll run some more validations
and probably request auto-connect for that.
Good day! Is there any progress on this? Can we
provide any additional information to speed up
the process? Thanks!
network-control provides quite a bit of privilege - can you please show snappy-debug logs as suggested by @ogra above, when this interface is NOT connected - this will show what is denied as what interfaces can be used to allow that access - we can then determine the minimum privileges required as there may be a more suitable interface to use instead of
Thanks for the suggestion and sorry
for the long wait! Here is the full output:
$ sudo snap run snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Nov 30 21:38:30
Log: apparmor="DENIED" operation="capable" profile="snap.adguard-home.adguard-home" pid=63397 comm="AdGuardHome" capability=13 capname="net_raw"
* adjust program to not require 'CAP_NET_RAW' (see 'man 7 capabilities')
* add one of 'firewall-control, network-control, network-observe' to 'plugs'
* do nothing if program otherwise works properly
kernel.printk_ratelimit = 5
network-observe should also grant CAP_NET_RAW. Could you please test your snap with the
network-observe interface and let us know if that solves your issue? If not, could you please post any denials you’re still getting?
Something weird is happening. I removed
network-control plug, added
network-observe plug without connecting
it, but the snap continued to work. It only
stopped working when I manually disconnected
network-bind plug. Is there some form of cache
that I need to clean? I've already restarted
and disabled-enabled it a few times. I'm
at a loss, sorry.
@a.garipov no there is no caching that I am aware of - can you please update the status on this? Is
network-control still required/desired for this snap?
Sorry for a late response. I think the
network-observe auto-connect, like @msalvatore proposed above, should do it for now.
@a.garipov, could you please update your request to reflect the new auto-connect for
network-observe instead? Also, can you please confirm if your snap is working as expected so we can move fw with the voting process?
Hello, @emitorino! I will be able to do both closer to Monday. Will reply after I’ve done so.
Hello again! I can’t seem to edit the original message. Perhaps this forum has a time limit for such things? Or requires additional permissions? If so, should I open a new request and simply close this one?
As for our
adguard-home snap, it looks like our DHCP server works fine with
network-observe, including on the privileged ports.
+1 from me for auto-connect of
network-bind is already auto-connected so does not need a store declaration).
+1 for me for auto-connect of
adguard-home since it will provide net_raw as needed.
+2 votes for, 0 votes against. granting auto-connect of
adguard-home. This is now live.