How to figure out needed "plugs/permissions" etc?

I’m trying to figure out why my snap lighthouse works in “–dangerous” mode, but crash when I install from the uploaded version.

I suspect, but don’t know for certain, that this is something that has to do with plugs and permissions.

When I “dmesg” I get the following ouput filtered on “lighthouse”:

sudo dmesg | grep lighthouse

[93059.910876] audit: type=1400 audit(1720259608.387:174960): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.hook.configure" pid=1172510 comm="apparmor_parser"
[93059.911438] audit: type=1400 audit(1720259608.387:174961): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.hook.post-refresh" pid=1172511 comm="apparmor_parser"
[93059.931858] audit: type=1400 audit(1720259608.407:174962): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lcli" pid=1172512 comm="apparmor_parser"
[93060.009617] audit: type=1400 audit(1720259608.487:174963): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lighthouse-daemon" pid=1172513 comm="apparmor_parser"
[93060.013496] audit: type=1400 audit(1720259608.491:174964): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.lighthouse" pid=1172543 comm="apparmor_parser"
[93064.526283] audit: type=1400 audit(1720259613.003:174965): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/proc/1172765/mountinfo" pid=1172765 comm="lighthouse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93133.987548] audit: type=1400 audit(1720259682.462:177982): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/snap.lighthouse.lighthouse-daemon.service/cpu.max" pid=1172765 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93133.987564] audit: type=1400 audit(1720259682.462:177983): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/cpu.max" pid=1172765 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93261.653975] audit: type=1400 audit(1720259810.125:178000): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/proc/1183339/mountinfo" pid=1183339 comm="lighthouse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93325.443665] audit: type=1400 audit(1720259873.917:178004): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/snap.lighthouse.lighthouse-daemon.service/cpu.max" pid=1183339 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93325.443676] audit: type=1400 audit(1720259873.917:178005): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/cpu.max" pid=1183339 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[93842.506326] audit: type=1400 audit(1720260390.973:187355): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lighthouse-daemon" pid=1217047 comm="apparmor_parser"
[93842.512750] audit: type=1400 audit(1720260390.981:187356): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.lighthouse" pid=1217049 comm="apparmor_parser"
[93842.514826] audit: type=1400 audit(1720260390.981:187357): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.lighthouse.lcli" pid=1217052 comm="apparmor_parser"
[93842.514902] audit: type=1400 audit(1720260390.981:187358): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.lighthouse.hook.post-refresh" pid=1217051 comm="apparmor_parser"
[93842.515642] audit: type=1400 audit(1720260390.985:187359): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.lighthouse.hook.configure" pid=1217050 comm="apparmor_parser"
[93843.234813] audit: type=1400 audit(1720260391.701:187362): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lighthouse-daemon" pid=1217076 comm="apparmor_parser"
[93843.240737] audit: type=1400 audit(1720260391.709:187363): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.lighthouse" pid=1217078 comm="apparmor_parser"
[93843.241506] audit: type=1400 audit(1720260391.709:187364): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.lighthouse.lcli" pid=1217081 comm="apparmor_parser"
[96811.556816] audit: type=1400 audit(1720263360.004:215837): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.lighthouse" pid=1395725 comm="apparmor_parser"
[96811.717265] audit: type=1400 audit(1720263360.164:215838): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.hook.post-refresh" pid=1395727 comm="apparmor_parser"
[96811.751052] audit: type=1400 audit(1720263360.196:215839): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lcli" pid=1395728 comm="apparmor_parser"
[96811.808370] audit: type=1400 audit(1720263360.256:215840): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.lighthouse-daemon" pid=1395729 comm="apparmor_parser"
[96811.810081] audit: type=1400 audit(1720263360.256:215841): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.lighthouse.hook.configure" pid=1395726 comm="apparmor_parser"
[96918.967603] audit: type=1400 audit(1720263467.411:218847): apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/proc/1403632/mountinfo" pid=1403632 comm="lighthouse" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[96994.305824] traps: tokio-runtime-w[1403669] trap invalid opcode ip:5bde5a1945ee sp:74da52d868e8 error:0 in lighthouse[5bde57c2d000+25c1000]

I have no clear picture as how I would go ahead and debug this. The locally built snap works 100% when installed.

How can I work out what plugs/slots/permissions etc. are needed?

Install the snappy-debug snap and run it alongside from a second terminal when starting your app.

It will make suggestions for plugs to use (always pick the least powerful one… I.e. if it offers network-control and network you don’t want to use the -control one)

2 Likes

Ah, I got some nice output here I could perhaps use:

erik@frozen:~/snap-reth$ snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
WARN: could not find log mark, is syslog enabled?
= AppArmor =
Time: Jul  6 16:35:15
Log: apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/snap.lighthouse.lighthouse-daemon.service/cpu.max" pid=2151201 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/snap.lighthouse.lighthouse-daemon.service/cpu.max (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/system.slice/snap.lighthouse.lighthouse-daemon.service/cpu.max'

= AppArmor =
Time: Jul  6 16:35:15
Log: apparmor="DENIED" operation="open" class="file" profile="snap.lighthouse.lighthouse-daemon" name="/sys/fs/cgroup/system.slice/cpu.max" pid=2151201 comm="tokio-runtime-w" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/system.slice/cpu.max (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/system.slice/cpu.max'

Now, that is helpful indeed.

But since I’m not in control of the software, I want to figure out what plugs I need to enable.

How would I do that @ogra

Do you control snapcraft.yaml file which is used to build snap package, or not? If not, then only way is to send this output to developer via email or other form of communication