[lenovo-wwan-dpr] Changing "strict" confined snap to "classic" confined snap

Hello , I have created and published “lenovo-wwan-dpr” snap as “strict” confined . Now, i would like to change it to “classic” confined . Reason to do this is mentioned in Dbus access denied while using "modem-manager" plug in snap

Above mentioned issue doesnot occur when snap is “classic” confined . I have also discussed with @abeato and suggestion was to change this snap to classic confined.

Before working to change “lenovo-wwan-dpr” to classic confined and publishing it in “edge” channel, I would like to get feedback if its acceptable to do it or not?

Any comment regarding this will be helpful.

Thank you

Hello @review-team , Any comment regarding this will be helpful . Thank you

The issue with accessing modem-manager over dbus should be fixed with snapd 2.55.3 which only went stable today - can you please retest? I am pretty sure this issue can be solved without resorting to classic confinement but more information is likely going to be needed. Can you also please make sure to send through any denials which you see in dmesg?

@alexmurray Thank you for your comment. I had already retested by compiling snapd using patch https://github.com/snapcore/snapd/commit/a47c423d49199d8d7e17439aab44ec6b43d8fdb6 and also installing snapd 2.55.3 using candidate channel today but i am still able to reproduce this issue .

I can see below log using jouralctl | grep -i modem

dbus-daemon[609]: [system] Rejected send message, 6 matched rules; type=“method_call”, sender=":1.199" (uid=1000 pid=5866 comm=“gnome-control-center " label=“unconfined”) interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” error name=”(unset)" requested_reply=“0” destination=":1.18" (uid=0 pid=696 comm="/usr/sbin/ModemManager " label=“unconfined”)

gnome-control-c[5866]: Error connecting to ModemManager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 6 matched rules; type=“method_call”, sender=":1.199" (uid=1000 pid=5866 comm=“gnome-control-center " label=“unconfined”) interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” error name=”(unset)" requested_reply=“0” destination=":1.18" (uid=0 pid=696 comm="/usr/sbin/ModemManager " label=“unconfined”)

gnome-control-c[5866]: Cannot grab information for modem at /org/freedesktop/ModemManager1/Modem/0: No ModemManager support

dbus-daemon[609]: [system] Rejected send message, 6 matched rules; type=“method_call”, sender=":1.199" (uid=1000 pid=5866 comm=“gnome-control-center " label=“unconfined”) interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” error name=”(unset)" requested_reply=“0” destination=":1.18" (uid=0 pid=696 comm="/usr/sbin/ModemManager " label=“unconfined”)

gnome-control-c[5866]: Error connecting to ModemManager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 6 matched rules; type=“method_call”, sender=":1.199" (uid=1000 pid=5866 comm=“gnome-control-center " label=“unconfined”) interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” error name=”(unset)" requested_reply=“0” destination=":1.18" (uid=0 pid=696 comm="/usr/sbin/ModemManager " label=“unconfined”)

gnome-control-c[5866]: Cannot grab information for modem at /org/freedesktop/ModemManager1/Modem/0: No ModemManager support

systemd[1]: Stopping Modem Manager…

Any comment regarding this issue will be helpful . Thank you

Also , i can see below error while using command mmcli -L

nitin@nitin-ThinkPad-X1-Yoga-Gen-6:~/dpr-snap-wwan-master$ mmcli -L error: couldn’t create manager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 6 matched rules; type=“method_call”, sender=":1.161" (uid=1000 pid=4723 comm=“mmcli -L " label=“unconfined”) interface=“org.freedesktop.DBus.ObjectManager” member=“GetManagedObjects” error name=”(unset)" requested_reply=“0” destination=":1.18" (uid=0 pid=874 comm="/usr/sbin/ModemManager " label=“unconfined”)

Thank you

Hello @alexmurray @review-team, I am ready to update snap package to change it from "strict’ to “classic” confined . it will be helpful if you can update your comment regarding this and whether i can publish it or not. Thank you

As per the Process for reviewing classic confinement snaps you need to describe not only why you believe classic confinement is required but also then detail which of the criteria for classic confinement your snap fits within. Then we need to determine if the snap fits within one of the supported categories for classic confinement.

However, I am a bit confused here about the errors you mention with strict confinement for your snap - can you provide details for how this can be reproduced and I can try and look into it - since the error mentions the process is unconfined which seems odd - is mmcli part of the lenovo-wwan-dpr snap? Can you please try and explain more what the setup of your snap is and what it is doing and I think we should be able to get it working under strict confinement.

It looks like there was an error in the fix.

It’s allowing ObjectManager access for the object path /org/freedesktop, while ModemManager exposes it at /org/freedesktop/ModemManager1:

image

I guess another fix is needed for the interface.

Ah indeed - good spotting @jamesh - so those rules should specify path=/org/freedesktop/ModemManager1 rather than the existing path=/org/freedesktop - perhaps that may be enough - but if more info could be provided as to how to reproduce these errors then I can try and validate this manually if needed.

1 Like

The weird part is that it looks like the globs in this existing rule would allow ObjectManager access at that path anyway:

dbus (receive, send)
    bus=system
    path=/org/freedesktop/ModemManager1{,/**}
    interface=org.freedesktop.DBus.*
    peer=(label=unconfined),

Thank you for this information. In order to reproduce this issue you will need any of the below WWAN supported system:

  • ThinkPad X1 Yoga Gen 6
  • ThinkPad X1 Carbon Gen 9
  • ThinkPad X1 Nano Gen 1 If not , then may i know , which WWAN support thinkpad product you have ?

Functionality of the snap is as mentioned below:

  1. perform FCC unlock which enables radio state as ON
  2. Set correct SAR value in WWAN module and maintains body SAR when system is close to body .

I have one of these but it doesn’t have a WWAN modem :frowning:

So I don’t think this is an issue with the snap - I just tried installing this snap and I get the same error but it is not due to AppArmor denying anything:

amurray@sec-focal-amd64:~$ mmcli -L
No modems were found
amurray@sec-focal-amd64:~$ sudo snap install lenovo-wwan-dpr
lenovo-wwan-dpr 1.0.2-wwan-dpr from Snap Linux Lenovo (lenovo-snap✓) installed
amurray@sec-focal-amd64:~$ mmcli -L
error: couldn't create manager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 5 matched rules; type="method_call", sender=":1.93" (uid=1000 pid=2978 comm="mmcli -L " label="unconfined") interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" error name="(unset)" requested_reply="0" destination=":1.14" (uid=0 pid=581 comm="/usr/sbin/ModemManager " label="unconfined")
amurray@sec-focal-amd64:~$ systemctl status snap.lenovo-wwan-dpr.wwan-dpr.service 
● snap.lenovo-wwan-dpr.wwan-dpr.service - Service for snap application lenovo-wwan-dpr.wwan-dpr
     Loaded: loaded (/etc/systemd/system/snap.lenovo-wwan-dpr.wwan-dpr.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Mon 2022-05-09 21:25:54 ACST; 7s ago
    Process: 2951 ExecStart=/usr/bin/snap run lenovo-wwan-dpr.wwan-dpr (code=exited, status=0/SUCCESS)
   Main PID: 2951 (code=exited, status=0/SUCCESS)

May 09 21:25:54 sec-focal-amd64 systemd[1]: Starting Service for snap application lenovo-wwan-dpr.wwan-dpr...
May 09 21:25:54 sec-focal-amd64 DPR_wwan[2951]: get_product(): WWAN DPR functionality is not supported in this product
May 09 21:25:54 sec-focal-amd64 DPR_wwan[2951]: DPR and FCC unlock App is not supported by Lenovo now
May 09 21:25:54 sec-focal-amd64 systemd[1]: snap.lenovo-wwan-dpr.wwan-dpr.service: Succeeded.
May 09 21:25:54 sec-focal-amd64 systemd[1]: Finished Service for snap application lenovo-wwan-dpr.wwan-dpr.
(failed reverse-i-search)`de': systemctl status snap.lenovo-wwan-dpr.wwan-^Cr.service 
amurray@sec-focal-amd64:~$ sudo dmesg | grep DENIED
[   58.635782] audit: type=1400 audit(1652097205.734:41): apparmor="DENIED" operation="open" profile="snap.lenovo-wwan-dpr.wwan-dpr" name="/sys/devices/virtual/dmi/id/product_family" pid=1775 comm="DPR_wwan" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

ie there is only one AppArmor denial and it is not for any DBus access - instead I suspect this is DBus policy itself - since if we run mmcli under root then it works:

amurray@sec-focal-amd64:~$ sudo mmcli -L
No modems were found

Also I don’t really see how making the snap classic would solve anything, since if I reinstall it in devmode then I still get the same error:

amurray@sec-focal-amd64:~$ sudo snap refresh --devmode lenovo-wwan-dpr --candidate
lenovo-wwan-dpr (candidate) 1.0.3-wwan-dpr from Snap Linux Lenovo (lenovo-snap✓) refreshed
amurray@sec-focal-amd64:~$ mmcli -L
error: couldn't create manager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 5 matched rules; type="method_call", sender=":1.106" (uid=1000 pid=3824 comm="mmcli -L " label="unconfined") interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" error name="(unset)" requested_reply="0" destination=":1.14" (uid=0 pid=581 comm="/usr/sbin/ModemManager " label="unconfined")

So I can’t see any good evidence that this is related to AppArmor - it could easily be due to the snapd dbus policy but that is a bigger issue I think.

Finally I even tested it as classic and it still didn’t work for me:

amurray@sec-focal-amd64:~$ sudo cp /var/lib/snapd/snaps/lenovo-wwan-dpr_5.snap .
amurray@sec-focal-amd64:~$ sudo chown amurray:amurray lenovo-wwan-dpr_5.snap 
amurray@sec-focal-amd64:~$ unsquashfs lenovo-wwan-dpr_5.snap 
Parallel unsquashfs: Using 1 processor
4336 inodes (4925 blocks) to write

[===========================================================================================================================================================================================================================-] 4925/4925 100%

created 4036 files
created 524 directories
created 298 symlinks
created 0 devices
created 0 fifos
amurray@sec-focal-amd64:~$ sed -i s/strict/classic/ squashfs-root/meta/snap.yaml
amurray@sec-focal-amd64:~$ snap pack squashfs-root

built: lenovo-wwan-dpr_1.0.3-wwan-dpr_amd64.snap
amurray@sec-focal-amd64:~$ 
amurray@sec-focal-amd64:~$ sudo snap install --dangerous --classic ./lenovo-wwan-dpr_1.0.3-wwan-dpr_amd64.snap 
lenovo-wwan-dpr 1.0.3-wwan-dpr installed
amurray@sec-focal-amd64:~$ snap info lenovo-wwan-dpr | grep installed:
installed:          1.0.3-wwan-dpr            (x1) 25MB classic
amurray@sec-focal-amd64:~$ mmcli -L
error: couldn't create manager: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 5 matched rules; type="method_call", sender=":1.107" (uid=1000 pid=4323 comm="mmcli -L " label="unconfined") interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" error name="(unset)" requested_reply="0" destination=":1.14" (uid=0 pid=581 comm="/usr/sbin/ModemManager " label="unconfined")

So I really can’t see how classic confinement is going to solve this - can you please provide more info?

@alexmurray First of all thank you for checking this and your great support.

This feature is related to WWAN modem and i haven’t tried in non-WWAN system. its good that you can see error.

So I don’t think this is an issue with the snap - I just tried installing this snap and I get the same error but it is not due to AppArmor denying anything:

Sorry but i really think this issue is related to snap as this issue doesnot occur if i create “deb” package for this app and yes, this is not related to AppArmor as i have also not seen AppArmor issue.

it is not for any DBus access - instead I suspect this is DBus policy itself - since if we run mmcli under root then it works:

Ok .

So I can’t see any good evidence that this is related to AppArmor - it could easily be due to the snapd dbus policy but that is a bigger issue I think.

I have same understanding that this is not related to AppArmor instead its related to dbus policy.

So I really can’t see how classic confinement is going to solve this - can you please provide more info?

I have changed confinement as “classic” in snapcraft.yaml file and then given command “snap install --dangerous --classic lenovo*.snap” . In this scenario , i didnot get any error and snap works perfectly OK. But , if i changed confinement to “strict” then this issue is occurred. I am not sure what difference it will make by simply giving command --classic but keeping confinement as “strict” in snapcraft.yaml file . Will it be same behavior? I will also try it from my side.

Thank you

Please ignore above above comment as i found out that you have changed yaml file from strict to classic while testing classic. I have again tried it on my WWAN supported system and it works using classic snap . please check below steps and result:

  1. Confinement is strict in snapcraft.yaml file
  2. Install modified snap -

Command - snap install --dangerous lenovo*.snap (This is updated snap which i have not released now)

  1. “mmcli -L” gives error , when not in root and it break gnome network settings

  2. Remove installed snap - snap remove lenovo-wwan-dpr

  3. Change snapcraft.yaml to classic

  4. Install classic snap

Command - snap install --dangerous --classic lenovo*.snap

  1. “mmcli -L” doesnot gives error , when not in root and it does not break gnome network settings

Thank you

Please can you provide more complete details on the errors you see since I am not able to reproduce this locally, otherwise I don’t think I can help you very easily.