Bandwhich process id identification

I have published bandwhich which shows what processes are using network resources.

The snap runs now, thanks to the store allowing network-control.

I had completely forgotten a previous conversation about this snap, three years ago :skull:.

The problem we have now (and indeed had back then) is that the snap cannot resolve process IDs.

If you run sudo bandwhich the processes all show as <UNKNOWN>.

image

If you sudo /snap/bandwhich/current/bin/bandwhich (thus bypassing confinement), it works:

image

I have iteratively tried a bunch of interfaces which vaguely look like they might help, but none do. None of these fix the issue:

    - system-observe
    - physical-memory-observe
    - process-control
    - mount-observe
    - physical-memory-control
    - hardware-observe
    - system-backup

Is there a bug or missing interface?

Anything in snappy-debug?

1 Like

Thanks for reminding me about snappy-debug! :smiley:

First I got this:

= AppArmor =                                                                                                                                                                                  
Time: 2023-09-21T12:3      
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/proc/276267/mountinfo" pid=276267 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 o
uid=0                                                                                          
File: /proc/276267/mountinfo (read)                                                            
Suggestions:                                                                                   
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'
                                               
= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="ptrace" class="ptrace" profile="snap.bandwhich.bandwhich" pid=276267 comm="display_handler" requested_mask="read" denied_mask="read" peer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

So I added and connected system-observe and mount-observe and re-ran. Same output in the application, no process names. Now I get this:

= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=282603 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)

= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/
cpu.max" pid=282603 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/cpu.max (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-68836d05-8c61-49da-ad85-48f5e48238c2.scope/cpu.max'
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-[0-9]*d[0-9]*-[0-9]*c[0-9]*-[0-9]*da-ad[0-9]*-[0-9]*f[0-9]*e[0-9]*c[0-9]*.scope/cpu.max'

= AppArmor =
Time: 2023-09-21T12:3
Log: apparmor="DENIED" operation="capable" class="cap" profile="snap.bandwhich.bandwhich" pid=282603 comm="display_handler" capability=2  capname="dac_read_search"
Capability: dac_read_search
Suggestions:
* adjust program to not require 'CAP_DAC_READ_SEARCH' (see 'man 7 capabilities')
* add one of 'microstack-support, system-backup' to 'plugs'
* do nothing if program otherwise works properly

So I added system-backup and it’s the same.

= AppArmor =
Time: 2023-09-21T12:5
Log: apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=334512 comm="snap-confine" capability=12  capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44
* do nothing (https://launchpad.net/bugs/1465724)

= AppArmor =
Time: 2023-09-21T12:5
Log: apparmor="DENIED" operation="open" class="file" profile="snap.bandwhich.bandwhich" name="/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max" pid=334512 comm="bandwhich" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e7aad05d-8f86-42a1-98db-6cc92d7d6180.scope/cpu.max'
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.bandwhich.bandwhich-e[0-9]*aad[0-9]*d-[0-9]*f[0-9]*-[0-9]*a[0-9]*-[0-9]*db-[0-9]*cc[0-9]*d[0-9]*d[0-9]*.scope/cpu.max'

None of the remaining recommended plugs look right.

The snap-confine denial is a false positive and not actually something with your app, for the cpu.max thing I’d try a system-files interface and see if that solves it…

I used system-files to give it all of /proc and /sys, and while the cpu.max thing goes away, the app still won’t show process names.

Seems like that app is merely a wrapper around lsof -n -P -i4 -i6 +c 0, so I’d try to run it with snap run --strace='-vf -s256 -e openat' and look for errors.

1 Like