Internal debugging commands

doc
1

This page documents some of the internal debugging commands. The nature of such commands is that they may change or disappear from version to version. Still as they exist and can be used they are described below.

snap debug confinement

available since snapd 2.31.1

This command prints a single word, depending on how the system overall confinement support is assessed. The output is strict if snapd has all the tools necessary to offer the best possible confinement for strictly confined snaps. In other case the output is partial as not all of the features that could be used are available.

snap debug sandbox-features [–required FEATURE…]

available since snapd 2.33

This command prints detailed information about sandboxing technologies available to snapd. The output is presented as a set of lists, one for each security backend available in snapd. The elements of the lists are simple tags that identify the presence of a given feature.

The features have two sources, those that are directly advertised by the kernel are prefixed with kernel:, all other features are coming directly from snapd as a higher-level construct built from kernel features.

The command can also take a list of required features and acts as a simple test for scripting, returning the response in the exit code.

The tags are described here for convenience:

apparmor

  • kernel:caps apparmor can mediate access to kernel capabilities
  • kernel:dbus apparmor can mediate access to dbus method calls and signals
  • kernel:domain apparmor can set and switch security labels
  • kernel:file apparmor can mediate access to files and directories
  • kernel:mount apparmor can mediate mounting and unmounting
  • kernel:namespaces apparmor supports apparmor-specific namespacing
  • kernel:network apparmor can mediate family of network sockets used
  • kernel:policy apparmor policy can be inspected from userspace
  • kernel:ptrace apparmor can mediate ptrace
  • kernel:query apparmor supports label data queries
  • kernel:rlimit apparmor can mediate resource limits
  • kernel:signal apparmor can mediate UNIX signals

dbus

  • mediated-bus-access snapd can generate DBus XML bus rules that control bus ownership and message access control list

kmod

  • mediated-modprobe snapd can load kernel modules on behalf of snaps

seccomp

  • bpf-argument-filtering snapd can use BPF programs to filter system calls by argument values
  • kernel:allow seccomp BPF program can allow a system call to execute
  • kernel:errno seccomp BPF program can set an errno code
  • kernel:kill seccomp BPF program can kill a process or thread
  • kernel:log seccomp BPF program can log the use of a system call
  • kernel:trace seccomp BPF program can notify a tracer program of a system call
  • kernel:trap seccomp BPF program can send SIGSYS and not execute a system call

mount

  • freezer-cgroup-v1 snapd puts all snap processes into a v1 hierarchy of the freezer cgroup and freezes processes for mount namespace modifications
  • layouts-beta layouts are available as an experimental feature
  • mount-namespace snapd puts all non-classically confined processes into a distinct mount namespace
  • per-snap-persistency snapd persists the per-snap mount namespace across process executions
  • per-snap-profiles snapd allows configuring the per-snap mount namespace with a fstab-like mount profile
  • per-snap-updates snapd can update the per-snap mount namespace for running applications
  • per-snap-user-profiles snapd allows configuring the per-snap, per-user mount namespace with a fstab-like mount profile
  • stale-base-invalidation snapd automatically invalidates preserved mount namespace when the base snap revision changes

udev

  • device-cgroup-v1 snapd puts all snap processes into a v1 hierarchy of the device cgroup and uses it to control access to character and block devices
  • tagging snapd uses udev rules to add new devices to existing device cgroups

snap debug get-base-declaration

available since snapd 2.23.6

This command prints the so-called base declaration that is stored in snapd. The base declaration is a assertion that governs base policy for who can declare, connect or auto-connect any plug and slot on the system. This assertion is built into snapd but the decision taken based on it can also be influenced and overridden by other assertions, as the per-snap snap-declaration assertions which can alter the interface policy for a specific snap, e.g. by granting it access to an interface that is otherwise off-limits.

1 Like