Classic confinement request: ncdu

ncdu is a utility that reads drive volumes and displays the utilisation. Using confinement works for the systems with one drive and external storage but extra drives are not accessible. I’ve tried different configurations building the snap package read all drives but only the classic confinement works as the software is intended.

Please consider this request.

hey @faramirza,

Which interfaces did you try already with no success? removable-media covers /media, /run/media and /mnt. I believe you might also need mount-observe.

Running snappy-debug can help you identify other interfaces needed.

You might wanna check the https://snapcraft.io/duf-utility and related discussions such as Alias duf on duf-utililty & auto connection and Classic confinement request for duf-utility.

@emitorino When I run snappy-dug, no errors are displayed when I get the error I want to fix.

Error: could not open /var/lib/snapd/void


This happens when I’m trying to execute the application on an extra HDD that is not a USB.
/dev/mapper/sda /Data ext4 defaults 0 0

Here is the plugs that was tried and failed:

plugs:
  - home
  - removable-media
  - mount-observe
  - system-backup

The previous developer also tried in vain to get approval here:
Interface approval for ncdu snap
Is the purpose of classic confinement not for application not able to use strict confinement?

The errors I do see in Snappy-debug are:

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/.java/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/.java/ (read)
Suggestions:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
  • add ‘personal-files (…the-personal-files-interface for acceptance criteria)’ to ‘plugs’

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/.synaptic/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/.synaptic/ (read)
Suggestions:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
  • add ‘personal-files (see …/the-personal-files-interface for acceptance criteria)’ to ‘plugs’

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/hw-probe/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/hw-probe/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/remmina/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/remmina/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/certbot/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/certbot/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/grex/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/grex/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/fwupd/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/fwupd/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/nmap/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/nmap/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/htop/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/htop/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:17
Log: apparmor=“DENIED” operation=“open” profile=“snap.ncdu.ncdu” name="/root/snap/multipass/" pid=23236 comm=“ncdu” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /root/snap/multipass/ (read)
Suggestion:

  • adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 19 08:11:45
Log: apparmor=“DENIED” operation=“capable” profile=“snap.ncdu.ncdu” pid=23393 comm=“ncdu” capability=2 capname=“dac_read_search”
Capability: dac_read_search
Suggestions:

  • adjust program to not require ‘CAP_DAC_READ_SEARCH’ (see ‘man 7 capabilities’)
  • add one of ‘system-backup’ to ‘plugs’
  • do nothing if program otherwise works properly

= AppArmor =
Time: Jul 19 08:11:45
Log: apparmor=“DENIED” operation=“capable” profile=“snap.ncdu.ncdu” pid=23393 comm=“ncdu” capability=1 capname=“dac_override”
Capability: dac_override
Suggestions:

  • adjust program to not require ‘CAP_DAC_OVERRIDE’ (see ‘man 7 capabilities’)
  • add one of ‘log-observe’ to ‘plugs’
  • do nothing if program otherwise works properly

I’ve reverted the snapcraft.yml to use strict confinement again but I cannot release as the builds are automatically rejected.

@faramirza the latest revision uploaded to the store still has classic confinement specified:

confinement: classic

That’s why it is still automatically rejected. You need to update that section to be strict instead.

Did you fix the denials shared in your earlier comment?

Oops! Thanks for that. I forgot to change the yml from my local version. I’ve built a new release. I’m getting the error below:
image
What is /var/lib/snapd/void about?

This cause no error while running snappy-debug

Is your snap trying to open all the paths in LD_LIBRARY_PATH? /var/lib/snapd/void is added to LD_LIBRARY_PATH for snaps to ensure that it is not empty so I assume this is where that is coming from?

@alexmurray This error only pops up when I run ncdu from a drive other than the one containing /.

In my fstab:
/dev/mapper/vgmint-root / ext4 errors=remount-ro 0
/dev/mapper/sda /Data ext4 defaults 0 0

ncdu works from / but not from /Data

ncdu is mostly used on headless servers and it would be imperative to see utilisation of all drives, as the software is intended.