Request auto-connect firewall-control or network-control or network-observe for cbj_hub

guyluz11 · August 9, 2022, 7:41pm

Background:

cbj-hub is the hub part of CyBear Jinni ecosystem, it is in charge of finding and controlling devices from different vendors in one easy-to-use app and even expanding the functionality of the devices. It is open source and very similar to home assistant with more focus on simplicity (especially in setting up things).

Plug And Explanation:

One of the ways the Hub finds smart devices that can be added automatically to the home is by device hostname. The app uses a dart package that pings all IPs in the network and waits for a response. If a response is found (device exist in that IP) the program will try to find the host name of that device. In case the hostname contains the name of a specific vendor the program can understand that this vendor exists and try to send a request suited to that vendor to that device IP to get his info to see if it is a supported device type.

I am getting an error ProcessException: Permission denied for the command ping, see the full log at the end. snappy-debug.security scanlog suggest adding one of the following plugs in order to fix the permission denied error

* add one of 'firewall-control, network-control, network-observe' to 'plugs'

Snap Permission Log:

:~$ snappy-debug.security scanlog
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Aug  9 22:13:59
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/etc/" pid=11461 comm="DartWorker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /etc/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

= AppArmor =
Time: Aug  9 22:13:59
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/usr/bin/timeout" pid=11513 comm="DartWorker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /usr/bin/timeout (read)
Suggestions:
* adjust snap to ship 'timeout'
* adjust program to use relative paths if the snap already ships 'timeout'

= AppArmor =
Time: Aug  9 22:13:59
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/usr/bin/timeout" pid=11515 comm="DartWorker" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /usr/bin/timeout (read)
Suggestions:
* adjust snap to ship 'timeout'
* adjust program to use relative paths if the snap already ships 'timeout'

= AppArmor =
Time: Aug  9 22:13:59
Log: apparmor="DENIED" operation="exec" profile="snap.cbj-hub.cbj-hub" name="/usr/bin/ping" pid=11543 comm="DartWorker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/bin/ping (exec)
Suggestions:
* adjust snap to ship 'ping'
* adjust program to use relative paths if the snap already ships 'ping'
* add one of 'firewall-control, network-control, network-observe' to 'plugs'

Program Crash Log:

  Check that /usr/bin/timeout exists
    command: timeout 2s avahi-browse --all -p
  Check that /usr/bin/timeout exists
    command: timeout 2s mdns-scan
You can make the mdns process better by installing `mdns-scan`
Unhandled exception:
ProcessException: Permission denied
  Command: ping -O -n -W 1 -i 1 -t 255 -c 1 192.168.31.1
#0      _ProcessImpl._start (dart:io-patch/process_patch.dart:401)
#1      Process.start (dart:io-patch/process_patch.dart:38)
#2      BasePing.platformProcess (package:dart_ping/src/ping/base_ping.dart:71)
#3      BasePing._onListen (package:dart_ping/src/ping/base_ping.dart:86)
#4      _runGuarded (dart:async/stream_controller.dart:814)
#5      _StreamController._subscribe.<anonymous closure> (dart:async/stream_controller.dart:692)
#6      _BufferingStreamSubscription._guardCallback (dart:async/stream_impl.dart:417)
#7      _StreamController._subscribe (dart:async/stream_controller.dart:691)
#8      _ControllerStream._createSubscription (dart:async/stream_controller.dart:827)
#9      _StreamImpl.listen (dart:async/stream_impl.dart:473)
#10     _StreamIterator._initializeOrDone (dart:async/stream_impl.dart:1028)
#11     _StreamIterator.moveNext (dart:async/stream_impl.dart:1004)
#12     HostScanner._getHostFromPing (package:network_tools/src/host_scanner.dart)
#13     HostScanner.getAllPingableDevices (package:network_tools/src/host_scanner.dart:41)
<asynchronous suspension>

CyBear Jinni code is open source, here are links to the project and snap.

Link to the repo CyBear Jinni Hub

Link to the snap repo CyBear Jinni Hub Snap repo

Link to the snapstore snap CyBear Jinni Smart Home Hub snap

alexmurray · August 10, 2022, 1:48am

So you may also see that snappy-debug suggests to ship the ping binary within your snap - can you please try this first?

pfsmorigo · August 18, 2022, 10:28pm

@guyluz11 - ping, can you please provide the requested information?

guyluz11 · August 23, 2022, 1:11pm

Adding iputils-ping to stage-packages didn’t work for me.

I have installed the snap using --devmode and connected all connections.

And snappy-debug.security scanlog shows only the

just program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

part which I think is not connected to our case.

Tested with adding all firewall-control, network-control, network-observe plugs and it is not working.

Getting error

 2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: Unhandled exception:
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: ProcessException:
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]:   Command: ping -O -n -W 1 -i 1 -t 255 -c 1 192.168.31.198
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #0      _ProcessImpl._start (dart:io-patch/process_patch.dart:401)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #1      Process.start (dart:io-patch/process_patch.dart:38)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #2      BasePing.platformProcess (package:dart_ping/src/ping/base_ping.dart:71)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #3      BasePing._onListen (package:dart_ping/src/ping/base_ping.dart:86)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #4      _runGuarded (dart:async/stream_controller.dart:814)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #5      _StreamController._subscribe.<anonymous closure> (dart:async/stream_controller.dart:692)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #6      _BufferingStreamSubscription._guardCallback (dart:async/stream_impl.dart:417)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #7      _StreamController._subscribe (dart:async/stream_controller.dart:691)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #8      _ControllerStream._createSubscription (dart:async/stream_controller.dart:827)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #9      _StreamImpl.listen (dart:async/stream_impl.dart:473)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #10     _StreamIterator._initializeOrDone (dart:async/stream_impl.dart:1028)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #11     _StreamIterator.moveNext (dart:async/stream_impl.dart:1004)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #12     HostScanner._getHostFromPing (package:network_tools/src/host_scanner.dart)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #13     HostScanner.getAllPingableDevices (package:network_tools/src/host_scanner.dart:41)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: <asynchronous suspension>
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: #14     CompaniesConnectorConjector.searchPingableDevicesAndSetThemUpByHostName (package:cbj_hub/infrastructure/devices/companies_connector_conjector.dart:257)
2022-08-23T15:55:19+03:00 cbj-hub.cbj-hub[39145]: <asynchronous suspension>
2022-08-23T15:55:19+03:00 systemd[1]: snap.cbj-hub.cbj-hub.service: Main process exited, code=exited, status=255/EXCEPTION
2022-08-23T15:55:19+03:00 systemd[1]: snap.cbj-hub.cbj-hub.service: Failed with result 'exit-code'.
2022-08-23T15:55:20+03:00 systemd[1]: snap.cbj-hub.cbj-hub.service: Scheduled restart job, restart counter is at 5.
2022-08-23T15:55:20+03:00 systemd[1]: Stopped Service for snap application cbj-hub.cbj-hub.
2022-08-23T15:55:20+03:00 systemd[1]: snap.cbj-hub.cbj-hub.service: Start request repeated too quickly.
2022-08-23T15:55:20+03:00 systemd[1]: snap.cbj-hub.cbj-hub.service: Failed with result 'exit-code'.
2022-08-23T15:55:20+03:00 systemd[1]: Failed to start Service for snap application cbj-hub.cbj-hub.

Tested same thing but this time with inetutils-ping in stage-packages and using install --dangerous and I am getting simular error.

So connecting the plugs will not help

guyluz11 · August 23, 2022, 1:57pm

Still not working, would love to hear suggestions

installed using --dangerous, didn’t add anything new to stage-packages Added all of the following plugs for the test

`plugs: [network, network-bind, hardware-observe, system-observe, avahi-control, firewall-control, network-control, network-observe, process-control, system-trace, bluetooth-control, netlink-audit, netlink-connector, qualcomm-ipc-router]`

Snap is running as daemon: simple

And here is the output of snappy-debug (not snappy-debug.security scanlog like before)

:~$ snappy-debug  
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Aug 23 16:51:42
Log: apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=72228 comm="snap-confine" capability=12  capname="ne
t_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/
44
* do nothing (https://launchpad.net/bugs/1465724)

= AppArmor =
Time: Aug 23 16:51:42
Log: apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=72228 comm="snap-confine" capability=38  capname="pe
rfmon"
Capability: perfmon
Suggestions:
* adjust program to not require 'CAP_PERFMON' (see 'man 7 capabilities')
* do nothing if program otherwise works properly

= AppArmor =
Time: Aug 23 16:51:42
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/etc/" pid=72228 comm="DartWorker" requested_mask="r" denied
_mask="r" fsuid=0 ouid=0
File: /etc/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

= AppArmor =
Time: Aug 23 16:51:43
Log: apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=72461 comm="snap-confine" capability=12  capname="ne
t_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/
44
* do nothing (https://launchpad.net/bugs/1465724)

= AppArmor =
Time: Aug 23 16:51:43
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/etc/" pid=72461 comm="DartWorker" requested_mask="r" denied
_mask="r" fsuid=0 ouid=0
File: /etc/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

= AppArmor =
Time: Aug 23 16:51:44
Log: apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=72691 comm="snap-confine" capability=12  capname="ne
t_admin"
Capability: net_admin
Suggestions:
* adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities')
* add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control, qualcomm-ipc-router' to 'plugs'
* do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/
44
* do nothing (https://launchpad.net/bugs/1465724)

= AppArmor =
Time: Aug 23 16:51:44
Log: apparmor="DENIED" operation="open" profile="snap.cbj-hub.cbj-hub" name="/etc/" pid=72691 comm="DartWorker" requested_mask="r" denied
_mask="r" fsuid=0 ouid=0
File: /etc/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

= AppArmor =
Time: Aug 23 16:51:47
Log: apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=8859 comm="Utils" requested_mask="read" denied_mask="read" p
eer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Aug 23 16:51:47
Log: apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/4402/cmdline" pid=8859 comm="Utils" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
File: /proc/4402/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Aug 23 16:51:52
Log: apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=8859 comm="Utils" requested_mask="read" denied_mask="read" p
eer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Aug 23 16:51:52
Log: apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/4402/cmdline" pid=8859 comm="Utils" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
File: /proc/4402/cmdline (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cmdline'

= AppArmor =
Time: Aug 23 16:51:52
Log: apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=8859 comm="Utils" requested_mask="read" denied_mask="read" p
eer="unconfined"
Ptrace: peer=unconfined (read)
Suggestions:
* add 'system-observe' to 'plugs'
* do nothing if program otherwise works properly

^C

alexmurray · August 24, 2022, 1:34am

Note most of these interfaces are not auto-connected so you will need to manually snap connect cbj_hub:firewall-contol etc for each of them - can you please make sure you have done that?

guyluz11 · August 24, 2022, 7:49am

Yes, I have done that

guyluz11 · September 29, 2022, 6:03pm

Fixed the problem.

I think it was something to do with the limit of the snap container, the program inside snap can’t send too many ping requests at the same time.

So I have split the requests into two parts as long as a little bit more changes and That fixed the issue for me.

guyluz11 · October 1, 2022, 8:07am

It seems that I had several issues with snap at the same time.

After fixing the one I am describing in the massage above I got back the previous error ProcessException: Permission denied on the ping command.

In my tests I saw that network-observe plug can solve it but I wanted to test as @alexmurray said to ship ping binary within your snap. Found out that

ping is a virtual package

And provided by two packages (that are not installed on my os) inetutils-ping and iputils-ping. So I have added iputils-ping to my snap stage-packages: part and it seems to work .

Thanks all for the help.

alexmurray · October 17, 2022, 3:56am

Excellent - thanks, I will remove this request from our side then.