Interface approval for ncdu snap

kz6fittycent · September 14, 2020, 6:23pm

I’ve recently updated ncdu and added some interfaces to provide greater access to read file sizes across the system and needed to get human review/approval to add them officially.

human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, system-files)
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, personal-files)

@popey directed me to open a new thread for this request. Thanks Alan!

lucyllewy · September 14, 2020, 9:43pm

I’ve moved this to Store Requests category, which I believe is the most appropriate for this request.

alexmurray · September 15, 2020, 2:22am

@kz6fittycent can you please outline what specific files (and whether read or write access for each) are being requested via system-files and personal-files for ncdu and why it requires these accesses?

kz6fittycent · September 15, 2020, 10:53pm

Hi @alexmurray,

Thanks for helping me out.

My request might be pretty basic in terms of what you’re looking for but here goes:

ncdu is an improved version of du and some files at the root level [as the snap currently ships] aren’t readable, even with sudo
My request is in hopes that ncdu can get read-only access to these files so that accurate sizes for each can be reported

For example, running ncdu /var/log/audit should show sizes for audit logs on a server but if it can’t read it, it’s kind of useless.

Basically, ncdu will need read-only for anything in / (root).

Let me know if you need further input - I hope I can provide it.

Thanks again.

kz6fittycent · September 20, 2020, 8:16pm

Just touching base on this. Is there any more info needed?

alexmurray · September 23, 2020, 6:49am

If you require read-only for anything in / then I think the most feasible option would be to use the system-backup interface

emitorino · September 23, 2020, 4:13pm

Hey @kz6fittycent,

Could you analyze using the system-backup interface as suggested by @alexmurray?

Thanks!

kz6fittycent · September 25, 2020, 1:17am

Let me check that out, will get back to you as soon as I can.

kz6fittycent · September 25, 2020, 1:33am

Not quite, sorry. This pattern repeats for anything requiring access to files from /

Screenshot%20from%202020-09-24%2020-29-50

ogra · September 25, 2020, 8:47am

make sure to point your app config to /var/lib/snapd/hostfs/var/www

/ is mounted under /var/lib/snapd/hostfs as described in https://snapcraft.io/docs/the-system-backup-interface

kz6fittycent · September 25, 2020, 4:15pm

Well, that sort-of worked but it can’t see my zfs pools. And if this interface in incapable of seeing them, that’s a non-starter IMO.

This tool can be incredibly useful for sysadmins who want a quick and clean way of seeing what’s taking up space in various files/dirs. If it can’t see (read-only) into “everything”, then it’s not very useful.

kz6fittycent · October 2, 2020, 2:14am

For the time being, I’m going to unpublish this snap since it’s not very useful “as-is”. Granted, it’s been in the store for a while now but I don’t think it’s any good - meaning that the snap I made isn’t any good.

alexmurray · October 27, 2020, 8:08am

@kz6fittycent other than zfs pools, is there anything else that you are not able to observe with system-backup? Perhaps we can augment this interface to allow that other information as well. Also can you provide any more details regarding the inability to see zfs pools. Are there any AppArmor denials in dmesg / syslog? Thanks.

kz6fittycent · October 30, 2020, 2:44pm

As far as what the snap is reporting, not much - see screenshot.

Screenshot%20from%202020-10-30%2009-33-55

Here are my apparmor entries for ncdu when I tried to peer into my zfs pool:

cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I included everything associated with ncdu so you can see the when/where it gets DENIED. Which is right here:

Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Running sudo ncdu renders the same result.

The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.

Coeur-Noir · November 2, 2020, 12:59am

Maybe it’s already covered but ncdu should also be able to read anything including hidden files, links, in /home/$USER or anywhere else.

ncdu is a very handy tool !

kz6fittycent · November 3, 2020, 3:44pm

Looks like we’re good there. I even checked several directories off root and the hidden files are showing up as one would expect.

Screenshot%20from%202020-11-03%2009-43-26

emitorino · November 10, 2020, 7:35pm

@kz6fittycent it seems you were able to make your work snap as expected. Can you please confirm?

kz6fittycent · November 11, 2020, 1:57pm

No, I still can’t view zfs pools. This is really the last bit we need to address.

alexmurray · November 25, 2020, 3:08am

Can you provide any information on errors that you see when trying to access zfs pools, or AppArmor denials etc from the kernel log? What paths are needed to be able to see zfs pools?

msalvatore · December 1, 2020, 5:04pm

@kz6fittycent - ping, can you please provide the requested information?