Hi team,
I would like to know the interface to access @{PROC}/@{pid}/cmdline and /dev/ for my snap.
Thanks
Accessing your own /proc/<pid>/cmdline is allowed by the default apparmor template. For reading cmdline of other processes you’ll need system-observe interface. The interface is not auto-connected by default.
which device?
Thanks for quick response. Yes I am registering character device and I need interface to access it. Is it custom-device interface applicable here ?
What kind of device is it? What’s the device node name under /dev?
If you are unsure which interfaces your application needs you can use the snappy-debug tool from the snappy-debug snap and run it alongside your snapped application, this will print suggestions for well known interfaces (like system-observe avove)…
Thanks for the input. I shall verify it and update back .
I have added the system-observe,hardware-observe & network-control , interface and issue is ruled but after running with snappy debug -
I seeing these issues repeatedly on screen -
= AppArmor = Time: Mar 05 08:56:47 Log: apparmor=“DENIED” operation=“capable” profile=“/snap/snapd/20671/usr/lib/snapd/snap-confine” pid=8827 comm=“snap-confine” capability=12 capname=“net_admin” Capability: net_admin Suggestions:
- adjust program to not require ‘CAP_NET_ADMIN’ (see ‘man 7 capabilities’)
- add one of ‘bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router’ to ‘plugs’
- do nothing if using systemd utility (eg, timedatectl): Managing time, date and timezone in Ubuntu Core - #44 by jdstrand
- do nothing (Bug #1465724 “net_admin apparmor denial when using Go” : Bugs : Snappy)
= AppArmor = Time: Mar 05 08:56:47 Log: apparmor=“DENIED” operation=“capable” profile=“/snap/snapd/20671/usr/lib/snapd/snap-confine” pid=8827 comm=“snap-confine” capability=38 capname=“perfmon” Capability: perfmon Suggestions:
- adjust program to not require ‘CAP_PERFMON’ (see ‘man 7 capabilities’)
- do nothing if program otherwise works properly
Do they impact snap application working ? Thanks,
No, they are false positives of the snap-confine command, you can ignore everything that is not directly related to your snap, snappy-debug also has some filter options to only have denials listed on a per snap basis
Okay thank you for quick response .
Hi,
Yes , I am trying to create a custom char driver inside /dev/ and my c code is trying to access it. So I would like to know the interface to access it. I should be able to read/write to this driver from snap app.
Thanks, Shriya
Have you looked at The custom-device interface ? The slot and the plug can be defined within the same snap, in which case you would then establish a connection by running: snap connect mysnap:plug-name mysnap:custom-device-slot.
Thanks for your input. Yes, I have gone through it.
As per the documentation , the custom-device slot needs to be part of gadget snap and custom-device plug should be referred in application snap ? The implementation is always the same ? It would be great if you point to an example where this has been implemented.
Thanks.
It does not. The documentation covers the most common case, but in practice the slot can be provided by the snap itself. See https://github.com/snapcore/snapd/pull/13521/files#diff-987626e55e6664d9cf20d636dfb29466d6f743094209d2bdf5179320370f9fc1 for an example. The same PR contains a test which connects the plug to the slot provided by the same snap.
Oh great !! Thanks a lot, I shall implement and update back on this.