Interface approval for ncdu snap

I’ve recently updated ncdu and added some interfaces to provide greater access to read file sizes across the system and needed to get human review/approval to add them officially.

human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, system-files)
human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (ncdu, personal-files)

@popey directed me to open a new thread for this request. Thanks Alan!

I’ve moved this to Store Requests category, which I believe is the most appropriate for this request.

2 Likes

@kz6fittycent can you please outline what specific files (and whether read or write access for each) are being requested via system-files and personal-files for ncdu and why it requires these accesses?

Hi @alexmurray,

Thanks for helping me out.

My request might be pretty basic in terms of what you’re looking for but here goes:

  • ncdu is an improved version of du and some files at the root level [as the snap currently ships] aren’t readable, even with sudo
  • My request is in hopes that ncdu can get read-only access to these files so that accurate sizes for each can be reported

For example, running ncdu /var/log/audit should show sizes for audit logs on a server but if it can’t read it, it’s kind of useless.

Basically, ncdu will need read-only for anything in / (root).

Let me know if you need further input - I hope I can provide it.

Thanks again.

1 Like

Just touching base on this. Is there any more info needed?

If you require read-only for anything in / then I think the most feasible option would be to use the system-backup interface

2 Likes

Hey @kz6fittycent,

Could you analyze using the system-backup interface as suggested by @alexmurray?

Thanks!

1 Like

Let me check that out, will get back to you as soon as I can.

Not quite, sorry. This pattern repeats for anything requiring access to files from /

make sure to point your app config to /var/lib/snapd/hostfs/var/www

/ is mounted under /var/lib/snapd/hostfs as described in https://snapcraft.io/docs/the-system-backup-interface

1 Like

Well, that sort-of worked but it can’t see my zfs pools. And if this interface in incapable of seeing them, that’s a non-starter IMO.

This tool can be incredibly useful for sysadmins who want a quick and clean way of seeing what’s taking up space in various files/dirs. If it can’t see (read-only) into “everything”, then it’s not very useful.

1 Like

For the time being, I’m going to unpublish this snap since it’s not very useful “as-is”. Granted, it’s been in the store for a while now but I don’t think it’s any good - meaning that the snap I made isn’t any good.

@kz6fittycent other than zfs pools, is there anything else that you are not able to observe with system-backup? Perhaps we can augment this interface to allow that other information as well. Also can you provide any more details regarding the inability to see zfs pools. Are there any AppArmor denials in dmesg / syslog? Thanks.

As far as what the snap is reporting, not much - see screenshot.

Here are my apparmor entries for ncdu when I tried to peer into my zfs pool:

cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I included everything associated with ncdu so you can see the when/where it gets DENIED. Which is right here:

Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Running sudo ncdu renders the same result.

The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.

1 Like

Maybe it’s already covered but ncdu should also be able to read anything including hidden files, links, in /home/$USER or anywhere else.

ncdu is a very handy tool !

2 Likes

Looks like we’re good there. I even checked several directories off root and the hidden files are showing up as one would expect.

1 Like

@kz6fittycent it seems you were able to make your work snap as expected. Can you please confirm?

No, I still can’t view zfs pools. This is really the last bit we need to address.

Can you provide any information on errors that you see when trying to access zfs pools, or AppArmor denials etc from the kernel log? What paths are needed to be able to see zfs pools?

@kz6fittycent - ping, can you please provide the requested information?