Qt network bearer & NetworkManager access (extend network_observe?)


#1

Qt network internally can integrate with NetworkManager to get info on interface status and all sort of magic.

Currently there is no snapd interface to supply the necessary access privileges (excluding the neworkmanager one which gives full access to NM, so it’s unsuitable for most cases that do not actually want to control anything but only inspect the network states for being up/online/etc).

This is something every HTTP using Qt application needs to supply the best user experience.

Relevant Qt code

Here’s a dump of read-only accesses that HTTP GET requests would cause

Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings" interface="org.freedesktop.NetworkManager.Settings" member="ListConnections" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/8" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/7" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/5" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/4" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/41" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/18" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings" interface="org.freedesktop.NetworkManager.Settings" member="ListConnections" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/8" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/7" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/5" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/4" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/41" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/18" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

#2

In general, Qt Bearer is known to need wide access to the NetworkManager APIs under various conditions (https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1404188). Part of the issue on Ubuntu Touch that was discussed in that bug is that polkit was effectively neutered and so the accesses to NetworkManager were particularly problematic which isn’t the case on classic distro (but it is the case on Ubuntu Core and also note that snaps can run root daemons and root is typically given a pass with polkit policy).

What you listed above does not sound unreasonable to have somewhere though since they are all List* and Get* operations. I don’t think network-observe is quite right. Possibly network-manager-observe. I worry that because Qt Bearer was written with polkit in mind, seemingly innocuous use of Qt Bearer might spin out on the required access rules; have you tested other applications that shouldn’t require writes to NetworkManager to see what their accesses are?


#3

That’s pretty much what I posted.
All the reads are part of initializing a QNetworkAccessManager (which is where one feeds QNetworkRequests to do any HTTP requests). QNetworkAccessManager will initialize QNetworkConfigurationManager which is backed by the various QtBearer plugins (connman, nm, etc.) to read and watch system-network state information. QNetworkAccessManager is then using the information to determine online-state and probably other things.

The audit dump more or less is caused entirely by the initial loading of NM’s state. Spread across various places, some of them:


For the record, this is the stack trace where it all begins

# various qtdbus stuff and eventually unwinding into the qeventloop for async state-introspection
#7  0x00007fffb75d33b5 in QNetworkManagerEngine::QNetworkManagerEngine (this=0x55555605cc10, parent=<optimized out>) at qnetworkmanagerengine.cpp:94
#8  0x00007fffb75c4430 in QNetworkManagerEnginePlugin::create (this=<optimized out>, key=...) at main.cpp:73
#9  0x00007ffff6c85d3a in qLoadPlugin<QBearerEngine, QBearerEnginePlugin> (key=..., loader=0x555556053fb8) at ../../include/QtCore/5.11.2/QtCore/private/../../../../../src/corelib/plugin/qfactoryloader_p.h:107
#10 QNetworkConfigurationManagerPrivate::updateConfigurations (this=this@entry=0x555556053f90) at bearer/qnetworkconfigmanager_p.cpp:378
#11 0x00007ffff6c866ae in QNetworkConfigurationManagerPrivate::initialize (this=this@entry=0x555556053f90) at bearer/qnetworkconfigmanager_p.cpp:78
#12 0x00007ffff6c808cd in qNetworkConfigurationManagerPrivate () at bearer/qnetworkconfigmanager.cpp:95
#13 0x00007ffff6c80967 in QNetworkConfigurationManager::QNetworkConfigurationManager (this=0x5555558e15b8, parent=<optimized out>) at bearer/qnetworkconfigmanager.cpp:235
#14 0x00007ffff6c0dd46 in QNetworkAccessManagerPrivate::QNetworkAccessManagerPrivate (this=0x5555558e14f0) at access/qnetworkaccessmanager_p.h:99
#15 QNetworkAccessManager::QNetworkAccessManager (this=0x7fffed97d020, parent=0x0) at access/qnetworkaccessmanager.cpp:462