Manual review for snap

Hi. I’ve upload my snap to store, but it is currently pending for a manual review due to a warning. I read from this post that asking here can speed up the process. Can anybody do a review of that?

Also, I’ve asked for aliases for the snap yesterday in this post. I need my first revision to be reviewed for getting those aliases.

@admins Any progress?

i have moved your post into the correct category (store-requests) so the reviewers can actually see it in their queue at all …

@ogra @moderators The reason my snap failed “Automated Review” is because Snapcraft does not support files from “MIPS” architechture. As my snap contained exploits(It’s a Security tool) for “MIPS” architechture it failed the automated review. I actually got more warnings myself while building on my amd64 machine as it didn’t support both MIPS, ARM and i386 architecture exploits which were included in that snap.

I’ve already sent manual review request on the store .

I figured out the actual cause of the problem. I just read this forum post and turns out that I’d set build-attributes: [keep-execstack] according to the suggestion of snapcraft builder.

I should’ve read online before setting that build attribute. Well, as mentioned by @jdstrand in this post snapcraft will clear the execstack of files automatically now that I’ve removed the build-attributes: [keep-execstack] line from my yaml, but I’m still getting the warning:-

And now the release status under Releases tab in store shows ReviewInProgress:-

image

How long will it take for this to get approved or does it still means it’s waiting for a manual review?

I suspect that snapcraft’s support for stripping execstack only works on the native architecture - since in this case metasploit includes binaries for other architectures that are non-amd64 then I don’t think it will be able to strip that itself. For now I have manually approved the various revisions but note that every future upload of your snap to the store will likely still get blocked for manual revision whilst these problematic files are still there. There are a number of ways this can be dealt with:

  1. Stick with the status quo and accept that each upload will get blocked and require manual intervention from the reviewers team
  2. Remove these files from the snap via something like the prime directive for the associated part with something like the following, but obviously then these will not be available for the snap to use and so will reduce its functionality a bit:
    prime:
      # remove files with execstack to keep review-tools happy
      - -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mips-linux-muslsf/bin/mettle
      - -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mips-linux-muslsf/bin/sniffer
      - -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mipsel-linux-muslsf/bin/mettle
      - -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mipsel-linux-muslsf/bin/sniffer
  1. Manually run execstack --clear-execstack on the affected files during the build so that hopefully this can remove this property and allow them to pass automated review (but note this is likely what snapcraft is already doing, which it seems is not working so this likely will also not actually work) - and I suspect this may then actually break the functionality of these libraries since they are likely execstack for a reason.
  2. Request to have an override added to the review-tools for the snap so that it can pass automated review

Thanks

1 Like

Thanks. Metasploit’s development is highly active on Github and new exploits are added every week, which means new stable releases every week. So, the first option is not viable for me.

I removed those files as you mentioned and now my snap passed the automatic review. But, I checked those files and found that those were important for certain exploits to work. If someone using my snap during their Penetration Testing engagement for e.g exploiting a router running mipsel firmware, founds out that they don’t have what’s necessary for that scenario, I don’t want to be person to be blamed for that.

So, the only viable option is the fourth one. I think getting approval for that must be difficult that’s why you mentioned it last. But, I think the snap package of Metasploit Framework is going to be popular among Security Testers once I finally get to release it into Stable. So, I hope I’ll eventually get approval for the override.

Now, the main reason why I started this topic i.e I want the aliases for Metasploit commands and as you’ve mentioned in this post now that there is a revision for the snap available, can you look into it? If the review process starts today, then I’ll have the aliases by next weekend. :slight_smile:

1 Like