Calls to “hostnamectl set-hostname someNewHostname
” get blocked by apparmor
I am struggling to make use of hostname-control interface from within my snap to set hostname of the system. I have a Raspberry box. There is a snap running that contains a REST API server. Its .NET/C# running with Mono. The server has an endpoint that takes a string with a new hostname as an input from the user.
Once the endpoint is hit, it tries to execute the following code:
public static string SetSystemHostname(string newHostname)
{
var proc = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "/usr/bin/hostnamectl",
Arguments = $"set-hostname {newHostname}",
UseShellExecute = false,
RedirectStandardOutput = true,
CreateNoWindow = true
}
};
proc.Start();
proc.WaitForExit();
return;
}
The code works when the snap is running in devmode and fails when the snap is in strict confinement.
Using hostnamectl just to get the hostname also works in strict confinement.
developer@localhost:~$ snap version
snap 2.43.3
snapd 2.43.3
series 16
kernel 4.15.0-1057-raspi2
developer@localhost:~$ snap info --verbose rest-api
name: rest-api
summary: api
health:
status: unknown
message: health has not been set
publisher: –
license: unset
description: |
The new connected lighting solution.
services:
rest-api: simple, enabled, active
notes:
private: false
confinement: strict
devmode: false
jailmode: false
trymode: false
enabled: true
broken: false
ignore-validation: false
base: core18
refresh-date: today at 12:08 UTC
installed: 0.0.55f4a (x1) 22MB -
The snap is configures as daemon. From “snapcraft.yaml” file:
apps:
rest-api:
command: start-api.sh
daemon: simple
restart-condition: always
plugs:
- network-bind
- hostname-control
I connect hostname-control interface manually.
sudo snap connect rest-api:hostname-control :hostname-control
snappy-debug output:
developer@localhost:~$ sudo journalctl --output=short --follow --all | sudo snappy-debug.security scanlog rest-api
= AppArmor =
Time: Mar 29 12:14:28
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.hostname1" member="SetPrettyHostname" mask="send" name="org.freedesktop.hostname1" pid=8441 label="snap.rest-api.rest-api"
DBus access
Suggestion:
* try adding 'hostname-control' to 'plugs'
= AppArmor =
Time: Mar 29 12:14:28
Log: apparmor="DENIED" operation="open" profile="snap.rest-api.rest-api" name="/proc/1/environ" pid=8441 comm="hostnamectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/1/environ (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/environ'
* do nothing if using systemd utility (eg, timedatectl):
* do nothing if program otherwise works properly
= AppArmor =
Time: Mar 29 12:14:28
Log: apparmor="DENIED" operation="open" profile="snap.rest-api.rest-api" name="/proc/1/sched" pid=8441 comm="hostnamectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/1/sched (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/sched'
= AppArmor =
Time: Mar 29 12:14:28
Log: apparmor="DENIED" operation="capable" profile="snap.rest-api.rest-api" pid=8441 comm="hostnamectl" capability=12 capname="net_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl):
* do nothing ()
= AppArmor =
Time: Mar 29 12:14:28
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.hostname1" member="SetPrettyHostname" mask="send" name="org.freedesktop.hostname1" pid=8441 label="snap.rest-api.rest-api"
DBus access
Suggestion:
* try adding 'hostname-control' to 'plugs'