Plugs for snap that requires to access syscalls

unprofessional · August 5, 2019, 10:40am

Hello all,

I try to create a snap for a software of mine (unprofession-al/proxyproxy on github) that needs to access a bunch of syscalls (basically the software need the syscalls in order to get noticed when network interface settings change). Find the details about the syscalls here: https://github.com/unprofession-al/proxyproxy/blob/master/netlink.go#L13.

All works certainly fine when the confinement is set to classic. Using strict seems to be a bit of a hassle. The networking stuff works nice (the software needs to bind to a port on localhost which is achieved by the network and network-bind plugs) but the syscalls are not recognized (which I tried to achieve with the network-observe and hardware-observe plugs). Find the current settings for the snap here: https://github.com/unprofession-al/proxyproxy/blob/master/.goreleaser.yml#L39

Is there any suggestion on how to allow the snap to receive those syscalls with confinement strict?

ijohnson · August 5, 2019, 1:29pm

Did you connect the network-observe interface?
What does snap connections $SNAP_NAME return (where $SNAP_NAME is the name of your snap)?

unprofessional · August 5, 2019, 3:54pm

Hi there. I guess the answer to the first question is ‘no’ but I am not sure…
snap connections $SNAP_NAME did not work (subcommand connections does not exist). Was it interfaces you wanted to ask for? The output is:

$ snap version
snap    2.37.1.1+18.04
snapd   2.37.1.1+18.04
series  16
ubuntu  18.04
kernel  4.18.0-15-generic

$ sudo snap interfaces proxyproxy
Slot           Plug
:network       gnome-calculator,gnome-logs,proxyproxy
:network-bind  proxyproxy
-              proxyproxy:hardware-observe
-              proxyproxy:network-observe

I found https://snapcraft.io/docs/supported-interfaces but I could not find a detailed documentation on what those plugs exactly allow or how to receive syscalls.

ijohnson · August 5, 2019, 4:27pm

It’s interesting that you’re running an older version of snapd and it hasn’t updated itself… Can you try running snap refresh core?

Anyways, yes snap interfaces also has the relevant information. In this case, the hardware-observe and network-observe interfaces have not been connected. You can connect them like so:

$ sudo snap connect proxyproxy:network-observe
$ sudo snap connect proxyproxy:hardware-observe

unprofessional · August 6, 2019, 6:30am

Thanks @ijohnson!

The connect worked but did not fix the issue of syscalls not reaching the app. Couple of questions here:

Why are network and network-bind connected automatically after start but not the *.observe ones? How can I make them autoconnect? I have no intend to reconnect the interfaces since I am certain that I want them connected and the software in worthless if it is not.
Again: How do I get the syscalls to reach my application?
Where can I find information on what the plugs actually do? The doc at https://snapcraft.io/docs/hardware-observe-interface et al. is insufficient since there is no hint an what reading and reporting of system hardware details actually means.

ogra · August 6, 2019, 1:05pm

a very detailed view is possible via the source code at:

ijohnson · August 6, 2019, 1:47pm

What denials do you see in the system journal? I.e. what is the output of journalctl -e --no-pager | grep DENIED when you snap is installed in strict mode and you try to run it?

unprofessional · August 20, 2019, 8:24am

Hello @ijohnson. Sorry for my late response… journalctl ... did the trick, I managed to find out. A request for auto-connect will arrive soon in the appropriate category.