Remove hook apparmor problems

DSysoletin · December 6, 2018, 12:14pm

Hi all!
I’am trying to make remove hook that will communicate a little with JSON server running in other snap on same system.
To do this, I’am using wget + chain of sed/awk/grep.
My script works without problems if it started manually, but when it started as remove hook - apparmor denies TCP connection attempts:

audit[6361]: AVC apparmor=“DENIED” operation=“create” profile=“snap.rigado-openthread-br.hook.remove” pid=6361 comm=“wget” family=“inet” sock_type=“stream” protocol=0 requested_mask=“create” denied_mask=“create”
kernel: audit: type=1400 audit(1544097426.368:3499): apparmor=“DENIED” operation=“create” profile=“snap.rigado-openthread-br.hook.remove” pid=6361 comm=“wget” family=“inet” sock_type=“stream” protocol=0 requested_mask=“create” denied_mask=“create”

I’ve added in snapcraft.yaml this:

hooks:
remove:
plugs:
- network
- network-bind

But it still don’t works.
I’ve googled a lot, and seems like adding plugs in hook descripton should work, but in my case this is not working. I have a feeling that these plugs are only for remove shell script itself, but not for wget application (it is part of my snap btw) it calls…

Did someone faced with similar issues? How it can be fixed?
Thanks a lot!

pstolowski · December 7, 2018, 9:37am

Ok, I did a test with a simple test snap and can confirm this. The problem is in the unfortunate ordering of tasks executed during snap removal: the remove hook is run after disconnecting all interfaces, so all permissions granted to the hook are no longer effective. The fix to that in snapd is easy, I’ll discuss this with the team and report soon. I’m sorry for any inconvienience caused by this issue, thanks for reporting it!

DSysoletin · December 7, 2018, 9:43am

Looks like remove hook is a little special, and it executed with no plugs connected.
I’ve conducted a little experiment, created two dumb snaps, each one with just one hook, one snap with remove hook, and one with install hook. Plugs for hooks are exactly same:

“remove” snap
hooks:
remove:
plugs:
- network
- network-bind

“install” snap:
“install” snap
hooks:
install:
plugs:
- network
- network-bind

Executable binary is also same, just named in one case “install” and in other case “remove”.
And, what I see:

“install” variant works as it should. I see network exchange as it should be.
“remove” variant is NOT working at all. Apparmor blocks hook executable from network at all.
Looks like in install case. firstly we have connecting these two plugs (network, network-bind), and hook runs with requested permissions, all good here. In remove case, firstly I see that two plugs is disconnecting, and then remove hook starting - looks like it runs with “null” privileges - because plugs are already disconnected.

Is this a bug? Or this is intended behavior? How can I run something on snap removing with non-null plugs?

Thanks in advice!

DSysoletin · December 7, 2018, 9:45am

Sorry, I didn’t read you answer before writing my message. Thank you!

pstolowski · December 10, 2018, 8:02am

The fix has just been merged into master: https://github.com/snapcore/snapd/pull/6272 and will soon be available in the core image from edge channel.