I try to create a snap for a software of mine (unprofession-al/proxyproxy on github) that needs to access a bunch of syscalls (basically the software need the syscalls in order to get noticed when network interface settings change). Find the details about the syscalls here: https://github.com/unprofession-al/proxyproxy/blob/master/netlink.go#L13.
All works certainly fine when the confinement is set to
strict seems to be a bit of a hassle. The networking stuff works nice (the software needs to bind to a port on localhost which is achieved by the
network-bind plugs) but the syscalls are not recognized (which I tried to achieve with the
hardware-observe plugs). Find the current settings for the snap here: https://github.com/unprofession-al/proxyproxy/blob/master/.goreleaser.yml#L39
Is there any suggestion on how to allow the snap to receive those syscalls with confinement
Did you connect the
snap connections $SNAP_NAME return (where
$SNAP_NAME is the name of your snap)?
Hi there. I guess the answer to the first question is ‘no’ but I am not sure…
snap connections $SNAP_NAME did not work (subcommand connections does not exist). Was it
interfaces you wanted to ask for? The output is:
$ snap version
$ sudo snap interfaces proxyproxy
I found https://snapcraft.io/docs/supported-interfaces but I could not find a detailed documentation on what those plugs exactly allow or how to receive syscalls.
It’s interesting that you’re running an older version of snapd and it hasn’t updated itself… Can you try running
snap refresh core?
snap interfaces also has the relevant information. In this case, the
network-observe interfaces have not been connected. You can connect them like so:
$ sudo snap connect proxyproxy:network-observe
$ sudo snap connect proxyproxy:hardware-observe
connect worked but did not fix the issue of syscalls not reaching the app. Couple of questions here:
network-bind connected automatically after start but not the
*.observe ones? How can I make them autoconnect? I have no intend to reconnect the interfaces since I am certain that I want them connected and the software in worthless if it is not.
Again: How do I get the syscalls to reach my application?
Where can I find information on what the plugs actually do? The doc at https://snapcraft.io/docs/hardware-observe-interface et al. is insufficient since there is no hint an what reading and reporting of system hardware details actually means.
a very detailed view is possible via the source code at:
What denials do you see in the system journal? I.e. what is the output of
journalctl -e --no-pager | grep DENIED when you snap is installed in strict mode and you try to run it?
Hello @ijohnson. Sorry for my late response…
journalctl ... did the trick, I managed to find out. A request for auto-connect will arrive soon in the appropriate category.