Auto-connection for home interface for docker snap

ijohnson · September 22, 2018, 6:33pm

Hi all,

I recently discovered that the home interface for a snap can allow processes running as root to read non-root files through the read: all property. I would like to enable this for the docker snap, and so I build the snap locally with this, installed it with --dangerous and --jailmode, then connected all the interfaces and this worked. However, when publishing this version to the store and installing it fresh, the home interface is disconnected initially and I can’t connect the interface at all, even manually:

$ sudo snap connect docker:home core:home
error: cannot perform the following tasks:
- Connect docker:home to core:home (connection denied by slot rule of interface "home")

I presume that this is because the snap declaration from the store hasn’t been updated to reflect the read: all parameter for the docker snap’s home interface plug. If this is the case, I would like to request that the snap declaration be updated.

Additionally, is there a way that I view a snap’s store declaration to see auto-connections and such and ensure that I don’t break anything with this? Luckily I haven’t released the snap to stable, but it would be nice to be able to see what a snap’s declaration is before I change any of the interfaces it plugs or attributes it sets, etc.

mwhudson · September 22, 2018, 8:56pm

You can see them in the assert file you get from snap download, for the docker snap I see

type: snap-declaration
format: 1
authority-id: canonical
revision: 11
series: 16
snap-id: sLCsFAO8PKM5Z0fAKNszUOX0YASjQfeZ
plugs:
  docker:
    allow-auto-connection: true
  docker-support:
    allow-auto-connection: true
    allow-installation: true
  firewall-control:
    allow-auto-connection: true
publisher-id: G5PF82zNx0UrL4zFjuxJgtoedVBajpIx
slots:
  docker:
    allow-auto-connection: false
    allow-connection: true
    allow-installation: true
snap-name: docker
timestamp: 2017-03-01T14:31:04.850753Z

jdstrand · September 24, 2018, 8:42pm

That’s correct. Can you give more detail as to why you need this functionality?

ijohnson · September 25, 2018, 2:54pm

For systems where a user installs the snap and doesn’t create the docker group and add their normal user to it, they are only allowed to use docker as sudo, in which case they can only build containers using sudo docker build when run inside root’s home directory, which is inconvenient for most folks to do.

Additionally, this is a feature which isn’t consistent with other distributions of docker, and so users often think that the docker snap is broken because they can’t use

sudo docker build $HOME/whatever

as they normally would with the deb for example.

jdstrand · September 28, 2018, 12:46pm

If there is no docker group, how can they use docker at all without sudo? The socket is meant to not be world read/write. If it is, that is a huge security hole in the snap since it means any user can trivially take own the device.

ijohnson · September 28, 2018, 12:48pm

You’re correct if there’s no docker group, then they have to use sudo.

My point being that when a user is in that situation where they have to use docker as sudo, they can only use files from /root/Dockerfile etc. which isn’t clear that’s the case and we get reports that the docker snap is broken because they can’t use sudo docker .... as I said before.

jdstrand · September 28, 2018, 5:44pm

Sorry, I missed your point.

+1 to auto-connect

jdstrand · October 9, 2018, 1:02pm

Not enough votes to tally. @alexmurray, @Wimpress, @mvo, @roadmr and/or @kyrofa - can one/all of you cast your vote?

kyrofa · October 9, 2018, 3:53pm

+1 to auto-connect from me as well. It seems a little odd that the interface couldn’t even be manually connected, is that something we can fix?

jdstrand · October 9, 2018, 5:12pm

2 votes for, 0 against. Granting auto-connection. This is now live.