Hey @weLees can you please then update the latest revision so it passes automated review?
Thanks!
Hi Emitorino, The new (4.5.892) snap has been uploaded for review
Hey @weLees,
Could you please explain what you are trying to achieve? I see you are still trying to access system files but you are using an incorrect plug declaration:
plugs:
etc-lvm-backup:
read:
- /sys/devices
write:
- /dev
Perhaps, did you forget to remove this and their references as well?
Hi @weLees, this request is waiting on your response regarding a plug declaration, could you please provide some more information so we can try and proceed?
Hi @rayveldkamp , Sorry for long time waiting. We’ve tried our best to reduce the use of interfaces, but still couldn’t run the full functionality of Visual LVM. Visual LVM may need to run in Classic mode because it needs to modify system information. I would like to ask, if we want to release software in Classic mode, what qualifications need to be provided?
@weLees the Process for reviewing classic confinement snaps details the qualifications that need to be provided for classic confinement. However, there are still a number of unanswered questions from this thread - in particular you still have not explained why you feel the snap needs write access to all of /dev - if this was granted it would enable a snap to take ownership of the device it was installed on - as such this is a very sensitive permission, but you do not seem able to explain this request.
If you want your snap to be granted such expansive permissions you need to be able to explain this to the reviewers so that can adequately assess the request.
Please can you take a closer look at this thread and answer the various questions in as much detail as possible so we can try and help you? Otherwise I don’t see how we can help if you are not able / willing to provide the requested information. Thanks.
Hi, thanks for your reply. About the /dev, The Visual LVM is a LVM manager, so it need to detect/access block device such as hdd/sdd/nvme to read the LVM information, some information an be get from vg config file, and some in head of PV(disk or partition). In addition, in order to be compatible with lvm2, the related functions of lvm2 need to be called when performing operations, which makes Visual LVM must also access some sensitive objects, such as /run/proc/… , /dev/mapper/…
did you run your snap alongside snappy-debug in a second terminal yet to get interface suggestions ? normally the block-devices interface should give you all access needed to all bock devices on the system, you should not need to access all of /dev … likewise there is a dm-crypt interface that gives you rw access to /dev/mapper/control, most nodes under /proc have also already a defined interface, the snappy-debug tool should have suggested all of them to you and give you alternatives for most/many things that will not require a manual review …
1 Like
Yes we’ve test with snappy-debug. I will post detail information about that recently.
hi @emitorino, @ogra
Thanks for your kindly help.
Ares has other task now. I handle snap task now.
With the snappy-debug, we got followed messages:
= AppArmor =
Time: Apr 10 07:59:21
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor" pid=2590 comm="vlvmserver" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:0/2:0:0:0/vendor'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/host[0-9]*/target[0-9]*:[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*:[0-9]*/vendor'
= AppArmor =
Time: Apr 10 07:59:21
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model" pid=2590 comm="vlvmserver" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model (read)
Suggestions:
* adjust program to not access '/sys/devices/pci0000:00/0000:00:10.0/host2/target2:0:1/2:0:1:0/model'
* adjust program to not access '/sys/devices/pci[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*.[0-9]*/host[0-9]*/target[0-9]*:[0-9]*:[0-9]*/[0-9]*:[0-9]*:[0-9]*:[0-9]*/model'
It is for getting disk information of disk
= AppArmor =
Time: Apr 10 07:59:22
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/dev/sdb1" pid=2590 comm="vlvmserver" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
File: /dev/sdb1 (write)
For reading LVM meta information
= AppArmor =
Time: Apr 10 07:59:22
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/sbin/" pid=3210 comm="find" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sbin/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
To find what filesystems were supported in current system.
For the final error it looks like your snap is wanting to execute some binary from /sbin - instead please ensure your snap ships whatever binary it needs within itself and executes that one instead, as snaps are not allowed to execute binaries from the host machine (and the particular binary may not be available / installed anyway).
For the second error - you can use the block-devices interface to get access to /dev/sdb1 etc so please make sure your snap plugs this interface as well (and manually connect the interface after installing the snap).
Finally for access to the files under /sys/devices you should use the hardware-observe interface.
The 3rd case, we just list files in /sbin.
Hey @isaac.clack,
To list files in /sbin you can plug the system-backup interface, since the entire host filesystem is mounted inside /var/lib/snapd/hostfs. This way your snap could read from /var/lib/snapd/hostfs/sbin.
Can you try that and let us know if there is yet another issue?
Thank, we will try it
1 Like
@isaac.clack - have you made any progress in resolving these errors, using the suggested interfaces? Please let us know of any results, so that we can progress this request.
Hi, thanks for your focus. There seems something wrong with our new snapcraft.yaml
grade: stable
confinement: strict
plugs:
etc-lvm-backup:
interface: system-files
write:
#[/dev]
[/run/lvm,/run/lock/lvm]
read:
[/dev,/sys/devices,/etc/lvm/backup,/sbin]
#[/run/lvm,/sys/firmware/dmi/tables,/sys/devices,/proc]
parts:
visual-lvm-remote:
plugin: dump
integration:
plugin: nil
stage-packages: [lvm2,dmidecode,libdevmapper1.02.1]
passthrough:
layout:
/etc/visual_lvm:
bind: $SNAP_DATA/etc/visual_lvm
/etc/lvm:
bind: $SNAP_DATA/etc/lvm
apps:
start:
plugs:
[block-devices,network-bind,etc-lvm-backup,network,system-observe]
command: bin/vlvmservice start $SNAP_DATA
stop:
plugs:
[system-observe]
command: bin/vlvmservice stop $SNAP_DATA
restart:
plugs:
[block-devices,network-bind,etc-lvm-backup,network,system-observe]
command: bin/vlvmservice restart $SNAP_DATA
ip-refuse:
command: bin/vlvmconsole -refuse $1 $2 -config_path $SNAP_DATA/
ip-accept:
command: bin/vlvmconsole -accept $1 $2 -config_path $SNAP_DATA/
change-password:
command: bin/vlvmconsole -chgpass -config_path $SNAP_DATA/
change-port:
command: bin/vlvmconsole -chgport $1 -config_path $SNAP_DATA/
hooks:
install:
plugs:
[system-observe]
remove:
plugs:
[system-observe]
When visual lvm remote start, the snappy-debug shows :
= AppArmor =
Time: Jun 12 13:00:57
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/dev/mapper/control" pid=4199 comm="lvm" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /dev/mapper/control (write)
Suggestion:
* add 'dm-crypt' to 'plugs'
= AppArmor =
Time: Jun 12 13:00:57
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/proc/partitions" pid=4204 comm="fdisk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/partitions (read)
Suggestions:
* adjust program to not access '@{PROC}/partitions'
* add 'system-observe' to 'plugs'
= AppArmor =
Time: Jun 12 13:00:57
Log: apparmor="DENIED" operation="open" profile="snap.visual-lvm-remote.start" name="/proc/partitions" pid=4209 comm="fdisk" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/partitions (read)
Suggestions:
* adjust program to not access '@{PROC}/partitions'
* add 'system-observe' to 'plugs'
And visual lvm remote shut down, we think the script for this issue is :
#define ENUM_DISK (PCHAR) \
"cmd='fdisk -l';" \
"title=`$cmd |grep dev|head -1|awk '{print $1}'`;" \
"list=`$cmd |grep $title|grep dev|awk '{print $2}'|sed 's/://'|sed 's@/dev/ram@@'|sed 's@/dev/loop@@'`;" \
"result='';" \
"for dev in `ls /dev/`; do " \
"[ \"`echo $list|grep /dev/$dev`\" != '' ] && " \
"[ ! -d /dev/$dev ]&&[ \"`cat /proc/mdstat|awk '{print $1}'|grep $dev`\" != \"$dev\" ]&&" \
"echo /dev/$dev;" \
"done"
it enumerates all disk class device on platform.
It’s so difficult to write system class app on snap.
Hi @isaac.clack, since you still seem to be having difficulties snapping your application, perhaps it would be more useful to create a new forum topic under the snap category where others can offer help and suggestions. Thanks.
Hi, I think it is a good idea. I will post a new thread after some snap testing work
Hi @isaac.clack,
Could you make any progress? I Don’t see any further topic being created for visual-lvm.
Thanks!