Hi, Visual LVM Remote 4.5 released, so we build the snapcraft package. Please review it.
BTW: How to be a vetted publisher?
Thanks
Hello? Somebody? Anybody? Ohhhhhhhh
Your snap failed automated review as it still includes a system-files declaration which you have not had approved - please can you explain what access is required and why this is needed for your snap? Thanks.
Sorry we added system-files by mistake, this interface has been cancelled in the new 4.5.892. Please review it.
Hi Emitorino, The new (4.5.892) snap has been uploaded for review
Hey @weLees,
Could you please explain what you are trying to achieve? I see you are still trying to access system files but you are using an incorrect plug declaration:
plugs:
etc-lvm-backup:
read:
- /sys/devices
write:
- /dev
Perhaps, did you forget to remove this and their references as well?
Hi @weLees, this request is waiting on your response regarding a plug declaration, could you please provide some more information so we can try and proceed?
Hi @rayveldkamp , Sorry for long time waiting. We’ve tried our best to reduce the use of interfaces, but still couldn’t run the full functionality of Visual LVM. Visual LVM may need to run in Classic mode because it needs to modify system information. I would like to ask, if we want to release software in Classic mode, what qualifications need to be provided?
@weLees the Process for reviewing classic confinement snaps details the qualifications that need to be provided for classic confinement. However, there are still a number of unanswered questions from this thread - in particular you still have not explained why you feel the snap needs write access to all of /dev - if this was granted it would enable a snap to take ownership of the device it was installed on - as such this is a very sensitive permission, but you do not seem able to explain this request.
If you want your snap to be granted such expansive permissions you need to be able to explain this to the reviewers so that can adequately assess the request.
Please can you take a closer look at this thread and answer the various questions in as much detail as possible so we can try and help you? Otherwise I don’t see how we can help if you are not able / willing to provide the requested information. Thanks.
Hi, thanks for your reply. About the /dev, The Visual LVM is a LVM manager, so it need to detect/access block device such as hdd/sdd/nvme to read the LVM information, some information an be get from vg config file, and some in head of PV(disk or partition). In addition, in order to be compatible with lvm2, the related functions of lvm2 need to be called when performing operations, which makes Visual LVM must also access some sensitive objects, such as /run/proc/… , /dev/mapper/…
did you run your snap alongside snappy-debug in a second terminal yet to get interface suggestions ? normally the block-devices interface should give you all access needed to all bock devices on the system, you should not need to access all of /dev … likewise there is a dm-crypt interface that gives you rw access to /dev/mapper/control, most nodes under /proc have also already a defined interface, the snappy-debug tool should have suggested all of them to you and give you alternatives for most/many things that will not require a manual review …
1 Like
Yes we’ve test with snappy-debug. I will post detail information about that recently.
hi @emitorino, @ogra
Thanks for your kindly help.
Ares has other task now. I handle snap task now.
With the snappy-debug, we got followed messages:
= AppArmor =
Time: Apr 10 07:59:21
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor" pid=2590 comm="vlvmserver" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/host[0-9]*/target[0-9]*:[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*:[0-9]*/vendor'
= AppArmor =
Time: Apr 10 07:59:21
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model" pid=2590 comm="vlvmserver" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/host[0-9]*/target[0-9]*:[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*:[0-9]*/model'
It is for getting disk information of disk
= AppArmor =
Time: Apr 10 07:59:22
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/dev/sdb1" pid=2590 comm="vlvmserver" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
File: /dev/sdb1 (write)
For reading LVM meta information
= AppArmor =
Time: Apr 10 07:59:22
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sbin/" pid=3210 comm="find" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sbin/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
To find what filesystems were supported in current system.
For the final error it looks like your snap is wanting to execute some binary from /sbin - instead please ensure your snap ships whatever binary it needs within itself and executes that one instead, as snaps are not allowed to execute binaries from the host machine (and the particular binary may not be available / installed anyway).
For the second error - you can use the block-devices interface to get access to /dev/sdb1 etc so please make sure your snap plugs this interface as well (and manually connect the interface after installing the snap).
Finally for access to the files under /sys/devices you should use the hardware-observe interface.
The 3rd case, we just list files in /sbin.
Hey @isaac.clack,
To list files in /sbin you can plug the system-backup interface, since the entire host filesystem is mounted inside /var/lib/snapd/hostfs. This way your snap could read from /var/lib/snapd/hostfs/sbin.
Can you try that and let us know if there is yet another issue?
Thank, we will try it
1 Like
@isaac.clack - have you made any progress in resolving these errors, using the suggested interfaces? Please let us know of any results, so that we can progress this request.