Autoconnect network-observe for ripping

joedborg · September 16, 2020, 2:35pm

The ripping snap is a ping toolbox that emulates the Cisco style toolchain. It needs network-observe to be able to transmit pings (or AppArmor catches it) and I believe any user would expect this if installing.

alexmurray · September 29, 2020, 5:11am

@joedborg - for completeness, can you show the AppArmor denial that occurs when network-observe is not connected?

joedborg · October 1, 2020, 4:05pm

= AppArmor =
Time: Oct 01 12:04:20
Log: apparmor="DENIED" operation="create" profile="snap.ripping.ripping" pid=3369686 comm="ripping" family="inet" sock_type="raw" protocol=1 requested_mask="create" denied_mask="create"
Suggestion:
* add one of 'firewall-control, network-control, network-observe' to 'plugs'

= Seccomp =
Time: Oct 01 12:04:20
Log: auid=1000 uid=1000 gid=1000 ses=3 pid=3369686 comm="ripping" exe="/snap/ripping/1/bin/ripping" sig=0 arch=c000003e 41(socket) compat=0 ip=0x7f3c63ce0667 code=0x50000
Syscall: socket
Suggestions:
* add account-control (if using NETLINK_AUDIT)
* add audio-playback (if using NETLINK_KOBJECT_UEVENT)
* add bluetooth-control (if using AF_{ALG,BLUETOOTH})
* add firewall-control (if using NETLINK_{FIREWALL,IP6_FW,NETFILTER,NF_LOG,ROUTE})
* add hardware-observe (if using NETLINK_{GENERIC,KOBJECT_UEVENT})
* add netlink-audit (if using NETLINK_AUDIT)
* add netlink-connector (if using NETLINK_CONNECTOR)
* add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
* add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
* add network-control (if using AF_{APPLETALK,BRIDGE,INET,INET6,IPX,PACKET,PPPOX,SNA}, NETLINK_{DNRTMSG,FIB_LOOKUP,GENERIC,INET_DIAG,ISCSI,KOBJECT_UEVENT,RDMA,ROUTE,XFRM})
* add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_{GENERIC,INET_DIAG,KOBJECT_UEVENT,ROUTE})
* add raw-usb (if using NETLINK_KOBJECT_UEVENT)
* add time-control (if using NETLINK_AUDIT)
* add unity7 (if using NETLINK_KOBJECT_UEVENT)
* add upower-observe (if using NETLINK_KOBJECT_UEVENT)
* add x11 (if using NETLINK_KOBJECT_UEVENT)

joedborg · October 19, 2020, 3:11pm

@alexmurray pasted above

msalvatore · October 21, 2020, 1:08pm

+1 from me for auto-connect of network-observe. It’s reasonable to expect ripping to be able to send pings out of the box.

Can other @reviewers please vote?

alexmurray · October 27, 2020, 11:07am

+1 from me too since network-observe would appear to be the most appropriate way to allow use of raw sockets for ripping and this is a core piece of it’s functionality.

+2 votes for, 0 votes against, this is now live.

joedborg · October 27, 2020, 6:39pm

Thanks all! Much appreciated.