Ppp plug, "/dev/ppp device: Permission denied" and sudo

dimitri · April 2, 2020, 8:49am

Hi,

I am attempting to create a new snap of the openfortivpn VPN client to take over maintenance of the existing snap.

The existing snap had been created 2 years ago from this snapcraft.yaml file and does not seem to be working anymore - at least not on Ubuntu 18.04. Not sure why it doesn’t work anymore, the error message feels like the network-bind plug is not been taken into account but is strangely garbled:

$ sudo /snap/bin/openfortivpn -u xxxxxxx xxxxx.xxxx.de:443
WARN:   Could not load config file "/etc/openfortivpn/config" (No such file or directory).
VPN account password: 
     12972:	2     12972:	�     12972:	e.so.2ERROR:  gethostbyname: Unknown server error
INFO:   Closed connection to gateway.
ERROR:  connect: Connection refused
INFO:   Could not log out.
$

Anyway, let’s focus on the new prototype snap built from a snapcraft.yaml file directly inspired by the existing one. I have declared plugs [network-bind ppp] and the snap builds smoothly but fails to run as if the ppp plug wasn’t sufficient:

$ sudo /snap/bin/openfortivpn-test.openfortivpn -u xxxxxxx xxxxx.xxxx.de:443
WARN:   Could not load config file "/usr/etc/openfortivpn/config" (No such file or directory).
VPN account password: 
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Couldn't open the /dev/ppp device: Operation not permitted
/snap/openfortivpn-test/current/usr/sbin/pppd: Sorry - this system lacks PPP kernel support

/snap/openfortivpn-test/current/usr/sbin/pppd: Sorry - this system lacks PPP kernel support

ERROR:  read: Input/output error
INFO:   Cancelling threads...
ERROR:  pppd: The kernel does not support PPP, for example, the PPP kernel driver is not included or cannot be loaded.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Logged out.
$

Any clue how I could get this to work?

ijohnson · April 2, 2020, 11:07am

Did you connect the ppp plug for your snap? What’s snap connections openfortivpn-test?

Also, since you’re asking about building snaps, I moved this over to #snapcraft

dimitri · April 2, 2020, 11:31am

Indeed I should have documented this: connecting the ppp plug does not help:

$ sudo snap connect openfortivpn-test:ppp
$ 
$ snap connections openfortivpn-test
Interface     Plug                            Slot           Notes
network-bind  openfortivpn-test:network-bind  :network-bind  -
ppp           openfortivpn-test:ppp           :ppp           manual
$ 
$ sudo /snap/bin/openfortivpn-test.openfortivpn -u xxxxxxx xxxxx.xxxx.de:443
WARN:   Could not load config file "/etc/openfortivpn/config" (No such file or directory).
VPN account password: 
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Couldn't open the /dev/ppp device: Operation not permitted
/snap/openfortivpn-test/current/usr/sbin/pppd: Sorry - this system lacks PPP kernel support

/snap/openfortivpn-test/current/usr/sbin/pppd: Sorry - this system lacks PPP kernel support

ERROR:  read: Input/output error
INFO:   Cancelling threads...
ERROR:  pppd: The kernel does not support PPP, for example, the PPP kernel driver is not included or cannot be loaded.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Logged out.
$

ijohnson · April 2, 2020, 11:44am

Do you see any denials in the system journal when you run your command? I.e. what’s the output of journalctl --no-pager -e | grep DENIED ?

dimitri · April 2, 2020, 11:44am

Perhaps it’s related, but openfortivpn forks and execs pppd. In order for execv() to find pppd I had to add to snapcraft.yaml:

        configflags:
            - --with-pppd=/snap/openfortivpn-test/current/usr/sbin/pppd

This doesn’t make sense to me because passing an absolute system path instead of a path relative to the snap kind of breaks confinement. I’ve tried this and execv() fails with an error message such as /usr/sbin/pppd: No such file or directory:

        configflags:
            - --with-pppd=/usr/sbin/pppd

dimitri · April 2, 2020, 11:46am

I do get denials, always the same:

Apr 02 13:32:37 is233895 kernel: audit: type=1400 audit(1585827157.344:1926): apparmor="DENIED" operation="capable" profile="snap.openfortivpn-test.openfortivpn" pid=16443 comm="pppd" capability=12  capname="net_admin"

dimitri · April 2, 2020, 11:48am

Note that in our case pppd requires the noauth option which is privileged. I don’t know if that’s related.

ogra · April 2, 2020, 12:36pm

try adding the network-control plug … (net_admin should probably be added to the ppp interface)

dimitri · April 2, 2020, 1:31pm

Ah, much better! Thank you.

$ sudo snap refresh openfortivpn-test
[sudo] password for dimitri: 
openfortivpn-test (edge) 1.13.3 from Dimitri Papadopoulos refreshed
$ 
$ sudo snap connect openfortivpn-test:network-control
$ 
$ sudo /snap/bin/openfortivpn-test.openfortivpn -u xxxxxxx xxxxx.xxxx.de:443
WARN:   Could not load config file "/etc/openfortivpn/config" (No such file or directory).
VPN account password: 
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
INFO:   Got addresses: [10.212.134.200], ns [xxx.xx.xxx.252, xxx.xx.xxx.202]
INFO:   negotiation complete
INFO:   Got addresses: [10.212.134.200], ns [xxx.xx.xxx.252, xxx.xx.xxx.202]
INFO:   negotiation complete
INFO:   negotiation complete
local  IP address 10.212.134.200
remote IP address 192.0.2.1
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

Is this a bug that I should report? On the other hand a VPN client does require some level of “network control” so I don’t find this shocking.