Qt network bearer & NetworkManager access (extend network_observe?)

sitter · November 8, 2018, 5:24pm

Qt network internally can integrate with NetworkManager to get info on interface status and all sort of magic.

Currently there is no snapd interface to supply the necessary access privileges (excluding the neworkmanager one which gives full access to NM, so it’s unsuitable for most cases that do not actually want to control anything but only inspect the network states for being up/online/etc).

This is something every HTTP using Qt application needs to supply the best user experience.

Relevant Qt code

github.com

qt/qtbase/blob/c5307203f5c0b0e588cc93e70764c090dd4c2ce0/src/plugins/bearer/networkmanager/qnetworkmanagerservice.cpp

/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the plugins of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
** and conditions see https://www.qt.io/terms-conditions. For further
** information use the contact form at https://www.qt.io/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 3 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL3 included in the

This file has been truncated. show original

Here’s a dump of read-only accesses that HTTP GET requests would cause

Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings" interface="org.freedesktop.NetworkManager.Settings" member="ListConnections" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/8" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/7" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/5" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/4" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/41" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:14 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/18" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=21895 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings" interface="org.freedesktop.NetworkManager.Settings" member="ListConnections" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/9" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/8" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/7" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/2" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/ActiveConnection/5" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Devices/4" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/41" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
Nov 08 17:16:15 polaris audit[1106]: USER_AVC pid=1106 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/NetworkManager/Settings/18" interface="org.freedesktop.NetworkManager.Settings.Connection" member="GetSettings" mask="send" name="org.freedesktop.NetworkManager" pid=22098 label="snap.peruse.peruse" peer_pid=1126 peer_label="unconfined"
                                      exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'

jdstrand · December 19, 2018, 2:34pm

In general, Qt Bearer is known to need wide access to the NetworkManager APIs under various conditions (https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1404188). Part of the issue on Ubuntu Touch that was discussed in that bug is that polkit was effectively neutered and so the accesses to NetworkManager were particularly problematic which isn’t the case on classic distro (but it is the case on Ubuntu Core and also note that snaps can run root daemons and root is typically given a pass with polkit policy).

What you listed above does not sound unreasonable to have somewhere though since they are all List* and Get* operations. I don’t think network-observe is quite right. Possibly network-manager-observe. I worry that because Qt Bearer was written with polkit in mind, seemingly innocuous use of Qt Bearer might spin out on the required access rules; have you tested other applications that shouldn’t require writes to NetworkManager to see what their accesses are?

sitter · January 10, 2019, 2:01pm

That’s pretty much what I posted.
All the reads are part of initializing a QNetworkAccessManager (which is where one feeds QNetworkRequests to do any HTTP requests). QNetworkAccessManager will initialize QNetworkConfigurationManager which is backed by the various QtBearer plugins (connman, nm, etc.) to read and watch system-network state information. QNetworkAccessManager is then using the information to determine online-state and probably other things.

The audit dump more or less is caused entirely by the initial loading of NM’s state. Spread across various places, some of them:

github.com

qt/qtbase/blob/c5307203f5c0b0e588cc93e70764c090dd4c2ce0/src/plugins/bearer/networkmanager/qnetworkmanagerservice.cpp#L61


#include "qnetworkmanagerservice.h"
#ifndef QT_NO_DBUS
#define DBUS_PROPERTIES_INTERFACE  "org.freedesktop.DBus.Properties"
QT_BEGIN_NAMESPACE
QNetworkManagerInterface::QNetworkManagerInterface(QObject *parent)
        : QDBusAbstractInterface(QLatin1String(NM_DBUS_SERVICE),
                                 QLatin1String(NM_DBUS_PATH),
                                 NM_DBUS_INTERFACE,
                                 QDBusConnection::systemBus(),parent)
{
    if (!isValid()) {
        return;
    }
    PropertiesDBusInterface managerPropertiesInterface(QLatin1String(NM_DBUS_SERVICE),

github.com

qt/qtbase/blob/c5307203f5c0b0e588cc93e70764c090dd4c2ce0/src/plugins/bearer/networkmanager/qnetworkmanagerengine.cpp#L126


    qDeleteAll(wiredDevices);
    wiredDevices.clear();
}
void QNetworkManagerEngine::initialize()
{
    if (nmAvailable)
        setupConfigurations();
}
void QNetworkManagerEngine::setupConfigurations()
{
    QMutexLocker locker(&mutex);
    // Get active connections.
    const auto acPaths = managerInterface->activeConnections();
    for (const QDBusObjectPath &acPath : acPaths) {
        if (activeConnectionsList.contains(acPath.path()))
            continue;
        QNetworkManagerConnectionActive *activeConnection =

For the record, this is the stack trace where it all begins

# various qtdbus stuff and eventually unwinding into the qeventloop for async state-introspection
#7  0x00007fffb75d33b5 in QNetworkManagerEngine::QNetworkManagerEngine (this=0x55555605cc10, parent=<optimized out>) at qnetworkmanagerengine.cpp:94
#8  0x00007fffb75c4430 in QNetworkManagerEnginePlugin::create (this=<optimized out>, key=...) at main.cpp:73
#9  0x00007ffff6c85d3a in qLoadPlugin<QBearerEngine, QBearerEnginePlugin> (key=..., loader=0x555556053fb8) at ../../include/QtCore/5.11.2/QtCore/private/../../../../../src/corelib/plugin/qfactoryloader_p.h:107
#10 QNetworkConfigurationManagerPrivate::updateConfigurations (this=this@entry=0x555556053f90) at bearer/qnetworkconfigmanager_p.cpp:378
#11 0x00007ffff6c866ae in QNetworkConfigurationManagerPrivate::initialize (this=this@entry=0x555556053f90) at bearer/qnetworkconfigmanager_p.cpp:78
#12 0x00007ffff6c808cd in qNetworkConfigurationManagerPrivate () at bearer/qnetworkconfigmanager.cpp:95
#13 0x00007ffff6c80967 in QNetworkConfigurationManager::QNetworkConfigurationManager (this=0x5555558e15b8, parent=<optimized out>) at bearer/qnetworkconfigmanager.cpp:235
#14 0x00007ffff6c0dd46 in QNetworkAccessManagerPrivate::QNetworkAccessManagerPrivate (this=0x5555558e14f0) at access/qnetworkaccessmanager_p.h:99
#15 QNetworkAccessManager::QNetworkAccessManager (this=0x7fffed97d020, parent=0x0) at access/qnetworkaccessmanager.cpp:462

jdstrand · January 24, 2019, 11:29pm

I think the way to do this is to add a new network-manager-observe interface with just the Gets and Lists, similar to what we did with avahi-observe. @sitter, do you have a small test snap I could use to verify this?

sitter · January 25, 2019, 11:24am

@jdstrand Absolutely, snap install --edge qtnetsample (code: https://github.com/apachelogger/qtnetsample)

jdstrand · January 25, 2019, 10:04pm

I was able to run qtnetsample with no denials if I added the following rules to the policy:

dbus (send)
     bus=system
     path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}"
     interface="org.freedesktop.DBus.Properties"
     member="Get{,All}"
     peer=(label=unconfined),
dbus (send)
     bus=system
     path="/org/freedesktop/NetworkManager"
     interface="org.freedesktop.NetworkManager"
     member="GetDevices"
     peer=(label=unconfined),
dbus (send)
     bus=system
     path="/org/freedesktop/NetworkManager/Settings"
     interface="org.freedesktop.NetworkManager.Settings"
     member="ListConnections"
     peer=(label=unconfined),
dbus (send)
     bus=system
     path="/org/freedesktop/NetworkManager/Settings{,/*}"
     interface="org.freedesktop.NetworkManager.Settings{,.Connection}"
     member="GetSettings"
     peer=(label=unconfined),

This does leak things like MAC and previous wifi networks, but importantly does not allow setting anything or leaking secrets. As such, adding network-manager-observe seems tractable. I need to think about how that should look codewise.

@sitter - do the above accesses seem sufficient to you?

sitter · January 28, 2019, 11:59am

dbus (send)
     bus=system
     path="/org/freedesktop/NetworkManager/Settings"
     interface="org.freedesktop.NetworkManager.Settings"
     member="ListConnections"
     peer=(label=unconfined),

There could also be a call to GetConnectionByUuid, but in Qt 5.12 this seems actually impossible as the calling function never gets called anywhere in qtbase (and I think no one else could either as a result of that). So, probably not too important.

Other than that LGTM

github.com

qt/qtbase/blob/c5307203f5c0b0e588cc93e70764c090dd4c2ce0/src/plugins/bearer/networkmanager/qnetworkmanagerservice.cpp#L751


        connectionsList = reply.value();
    }
    return connectionsList;
}
QString QNetworkManagerSettings::getConnectionByUuid(const QString &uuid)
{
    QList<QVariant> argumentList;
    argumentList << QVariant::fromValue(uuid);
    QDBusReply<QDBusObjectPath > reply = callWithArgumentList(QDBus::Block,QLatin1String("GetConnectionByUuid"), argumentList);
    return reply.value().path();
}
QNetworkManagerSettingsConnection::QNetworkManagerSettingsConnection(const QString &settingsService, const QString &connectionObjectPath, QObject *parent)
    : QDBusAbstractInterface(settingsService,
                             connectionObjectPath,
                             NM_DBUS_IFACE_SETTINGS_CONNECTION,
                             QDBusConnection::systemBus(), parent)
{
    qDBusRegisterMetaType<QNmSettingsMap>();

jdstrand · January 30, 2019, 11:37pm

FYI, https://github.com/snapcore/snapd/pull/6456 and https://github.com/snapcore/snapd/pull/6457