Plugs/perms/caps to work with system ping

Hello, I’m trying to put a wrapper for ping utility in snap package. It works out of scopes snapd without any additional permissions or capabilities. Runing this wrapper with snap there is ping: Permission denied message. As I can see /snap/…/ping already has proper caps: getcap /snap/core22/current/usr/bin/ping /snap/core22/current/usr/bin/ping cap_net_raw=ep

To get it work with system ping, do some additional caps/perms have to be delegated to user app? Or it just needs to add some plug? (tried network and network-bind plugs with no success)

Install the snappy-debug snap and run the snappy-debug command in a second terminal while you execute your ping from the snap, that should give suggestions about plugs.

Thank you for hints, gotten apparmor below.

Suggestion from output:

  • ship ‘ping’ is not too reasonable, because I cannot set root-uid or raw-socket-cap to a shipped ping
  • add one of ‘firewall-control, network-control, network-observe’ to ‘plugs’: Added all these three plugs, and after adding them and reinstall snap package - there’s still permission denied

Can it be connected with some cache or something like that?

= AppArmor = Time: 2023-07-31T21:5 Log: apparmor=“DENIED” operation=“open” class=“file” profile=“snap.dmtr.dmtr” name="/proc/sys/vm/max_map_count" pid=31141 comm=“dmtr” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0 File: /proc/sys/vm/max_map_count (read) Suggestions:

  • adjust program to not access ‘@{PROC}/sys/vm/max_map_count’
  • add ‘system-observe’ to ‘plugs’

= AppArmor = Time: 2023-07-31T21:5 Log: apparmor=“DENIED” operation=“exec” class=“file” profile=“snap.dmtr.dmtr” name="/usr/bin/ping" pid=31179 comm=“DartWorker” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0 File: /usr/bin/ping (exec) Suggestions:

  • adjust snap to ship ‘ping’
  • adjust program to use relative paths if the snap already ships ‘ping’
  • add one of ‘firewall-control, network-control, network-observe’ to ‘plugs’

Did you connect the plugs using the snap connect ... command ? (network-control and system-observe might be enough)

1 Like

Thank you, it works. (with manually connected plug, I thought it was done automatically after adding that plug to plug list in snapcraft.yaml)

Anyway it works, thank you again for help

% Interface         Plug                   Slot              Notes
firewall-control  dmtr:firewall-control  -                 -
network           dmtr:network           :network          -
network-bind      dmtr:network-bind      :network-bind     -
network-control   dmtr:network-control   :network-control  manual

p.s. about ‘system-observe’, maybe it’s for dart-subsystem itself and not-used by app

Once your snap is in the store proper you can request auto-connection in the store-requests category here in the forum… some interfaces are too privileged to just let them connect without at least a review…

1 Like

It’s helpful and has saved me a lot of time. Thank you