Hi there,
I would like to provide a snap package for the AtTrack application.
This is a time tracker based on Electron. I tried to build it with strict confinement, but the problem is that AtTrack uses Electron’s powerMonitor module to know that system is going to suspend/resume/shutdown and start/stop application accordingly. If i understood correctly, there is no such interface that can give access for powerMonitor.
I am not sure how detailed you need the description of the program as this is my first classic request. Please let me know if you need more information.
Can you please try running the application (with strict confinement enabled) along with snappy-debug? See https://snapcraft.io/docs/debug-snaps for more info - but this should suggest appropriate interfaces to use. I hope that perhaps upower-observe may be sufficient for this use-case.
Unfortunately it didn’t help.
Here is my snap.yaml file
name: attrack
version: 2.6.1
summary: AtTrack
description: An automatic time tracker for a successful take off of your business
apps:
attrack:
command: command.sh
plugs:
- desktop
- desktop-legacy
- home
- x11
- wayland
- unity7
- browser-support
- network
- gsettings
- audio-playback
- pulseaudio
- opengl
- screen-inhibit-control
- process-control
- system-observe
- upower-observe
- shutdown
- personal-files
- system-files
environment:
DISABLE_WAYLAND: '1'
TMPDIR: $XDG_RUNTIME_DIR
PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
SNAP_DESKTOP_RUNTIME: $SNAP/gnome-platform
LD_LIBRARY_PATH: $SNAP_LIBRARY_PATH:$SNAP/lib:$SNAP/usr/lib:$SNAP/lib/x86_64-linux-gnu:$SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH:$SNAP/lib:$SNAP/usr/lib:$SNAP/lib/x86_64-linux-gnu:$SNAP/usr/lib/x86_64-linux-gnu
architectures:
- amd64
base: core18
confinement: strict
grade: devel
plugs:
gnome-3-28-1804:
interface: content
target: $SNAP/gnome-platform
default-provider: gnome-3-28-1804
gtk-3-themes:
interface: content
target: $SNAP/data-dir/themes
default-provider: gtk-common-themes
icon-themes:
interface: content
target: $SNAP/data-dir/icons
default-provider: gtk-common-themes
personal-files:
interface: personal-files
write:
- $HOME/.cache
- $HOME/.config
sound-themes:
interface: content
target: $SNAP/data-dir/sounds
default-provider: gtk-common-themes
system-files:
interface: system-files
read:
- /etc
title: AtTrack
Here is errors in the app itself
[7913:0819/083643.706082:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.login1.Manager.Inhibit: object_path= /org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.146" (uid=1000 pid=7913 comm="/snap/attrack/x1/app/attrack --no-sandbox --enable" label="snap.attrack.attrack (enforce)") interface="org.freedesktop.login1.Manager" member="Inhibit" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1025 comm="/lib/systemd/systemd-logind " label="unconfined")
[7913:0819/083643.706387:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.login1.Manager.Inhibit: object_path= /org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.146" (uid=1000 pid=7913 comm="/snap/attrack/x1/app/attrack --no-sandbox --enable" label="snap.attrack.attrack (enforce)") interface="org.freedesktop.login1.Manager" member="Inhibit" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1025 comm="/lib/systemd/systemd-logind " label="unconfined")
And here is output of snappy-debug
= Seccomp =
Time: Aug 19 08:36:36
Log: auid=1000 uid=1000 gid=1000 ses=3 subj=? pid=7913 comm="attrack" exe="/snap/attrack/x1/app/attrack" sig=0 arch=c000003e 330(pkey_alloc) compat=0 ip=0x7f2feb50f4e7 code=0x50000
Syscall: pkey_alloc
= AppArmor =
Time: Aug 19 08:36:39
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=7913 label="snap.attrack.attrack" peer_pid=983 peer_label="unconfined"
DBus access
= AppArmor =
Time: Aug 19 08:36:43
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="Inhibit" mask="send" name="org.freedesktop.login1" pid=7913 label="snap.attrack.attrack" peer_pid=1025 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'shutdown' to 'plugs'
= Seccomp =
Time: Aug 19 08:36:53
Log: auid=1000 uid=1000 gid=1000 ses=3 subj=? pid=8181 comm="attrack" exe="/snap/attrack/x1/app/attrack" sig=0 arch=c000003e 330(pkey_alloc) compat=0 ip=0x7f333b0644e7 code=0x50000
Syscall: pkey_alloc
The shutdown plug is not connected by default - so you will need to manually connect it first:
sudo snap connect attrack:shutdown
Sorry, i forgot to mention it.
I manually connect all plugs, which not support auto-connect.
- process-control
- system-observe
- shutdown
- personal-files
- system-files
audio-playback attrack:audio-playback :audio-playback -
browser-support attrack:browser-support :browser-support -
content[gnome-3-28-1804] attrack:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -
content[gtk-3-themes] attrack:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] attrack:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] attrack:sound-themes gtk-common-themes:sound-themes -
desktop attrack:desktop :desktop -
desktop-legacy attrack:desktop-legacy :desktop-legacy -
gsettings attrack:gsettings :gsettings -
home attrack:home :home -
network attrack:network :network -
opengl attrack:opengl :opengl -
personal-files attrack:personal-files :personal-files manual
process-control attrack:process-control :process-control manual
screen-inhibit-control attrack:screen-inhibit-control :screen-inhibit-control -
shutdown attrack:shutdown :shutdown manual
system-files attrack:system-files :system-files manual
system-observe attrack:system-observe :system-observe manual
unity7 attrack:unity7 :unity7 -
upower-observe attrack:upower-observe :upower-observe -
wayland attrack:wayland :wayland -
x11 attrack:x11 :x11 -
@pfsmorigo Hi there.
Review for this snap (AtTrack, publisher AtTrack (hello@attrack.com)) was rejected with message:
This snap is using 'classic' confinement. In order to use classic confinement, please make a request in the forum by following the process outlined in https://forum.snapcraft.io/t/process-for-reviewing-classic-confinement-snaps/1460.
Thanks!
But I make this request which is still ongoing as i can tell.
Should i press “Request manual review”?
@nnseleznev can you confirm if the snap is now working as expected under strict confinement?
No, i can’t.
Snap is not working as expected. Electron’s powerMonitor module don’t have access to the system and don’t see events when system is going to suspend/resume/shutdown/reboot.
Ok I think you are going to have to try and provide some more details so we can help get your snap working under strict confinement, since as it currently stands, this snap does not meet the criteria for classic confinement as per Process for reviewing classic confinement snaps.
Can you please try and get logs from the application and the system when the snap is running and then when doing a suspend / resume cycle etc so we can see if there are any denials etc?
All logs, that i could collect, in my message above.
App’s workflow step by step
- App initializes all internal services, including PowerMonitorListener service, which is a wrap around electron’s powerMonitor module
...
onModuleInit(): void {
this.isLocked = false;
this.isPaused = false;
powerMonitor
.on('shutdown', () => this.dispatchShutdown())
.on('suspend', () => {
this.isPaused = true;
this.dispatchLock();
})
.on('lock-screen', () => {
this.isLocked = true;
this.dispatchLock();
})
.on('resume', () => {
this.isPaused = false;
this.dispatchUnlock();
})
.on('unlock-screen', () => {
this.isLocked = false;
this.dispatchUnlock();
});
}
...
- Exact in this time, when powerMonitor tries to register listeners, system throw errors
[7913:0819/083643.706082:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.login1.Manager.Inhibit: object_path= /org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.146" (uid=1000 pid=7913 comm="/snap/attrack/x1/app/attrack --no-sandbox --enable" label="snap.attrack.attrack (enforce)") interface="org.freedesktop.login1.Manager" member="Inhibit" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1025 comm="/lib/systemd/systemd-logind " label="unconfined")
[7913:0819/083643.706387:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.login1.Manager.Inhibit: object_path= /org/freedesktop/login1: org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.146" (uid=1000 pid=7913 comm="/snap/attrack/x1/app/attrack --no-sandbox --enable" label="snap.attrack.attrack (enforce)") interface="org.freedesktop.login1.Manager" member="Inhibit" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=1025 comm="/lib/systemd/systemd-logind " label="unconfined")
And snappy-debug shows
= AppArmor =
Time: Aug 19 08:36:39
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" mask="send" name="org.bluez" pid=7913 label="snap.attrack.attrack" peer_pid=983 peer_label="unconfined"
DBus access
= AppArmor =
Time: Aug 19 08:36:43
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="Inhibit" mask="send" name="org.freedesktop.login1" pid=7913 label="snap.attrack.attrack" peer_pid=1025 peer_label="unconfined"
DBus access
Suggestion:
* try adding 'shutdown' to 'plugs'
That it.
There are no more errors while app is running or system going to suspend/resume etc. Electron’s powerMonitor module just don’t see any events because electron failed to register listeners.
Hey @nnseleznev,
It’s been a while since we last discussed. I am checking the status of this request. Did you make any progress with the errors described above?
Thanks!
@nnseleznev - ping, can you please provide the requested information?
@nnseleznev,
Ping, this request cannot proceed without the requested information.
@nnseleznev,
Since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks!
