-1 from me for auto-connect of physical-memory-observe. This interface is not necessary in order to query memory usage and availability.
@iko.darius: I’m not sure what mechanism you’re using to query the system, but /proc/meminfo is readable without connecting any interfaces.
Thanks, @alexmurray .
Thanks, @msalvatore . After testing without physical-memory-observe connection, our app is able to obtain memory info, so we don’t need physical-memory-observe for now. We are using a nodejs npm package.
So far we still require auto-connect for these interfaces : shutdown , hardware-observe , network-observe , system-observe , mount-observe .
@iko.darius, that’s good to hear. I would suggest testing without some of the other interfaces as well to check whether or not they’re really necessary. You can use snappy-debug to alert you of any denials. snappy-debug will recommend interfaces based on the behavior it observes in your snap. Instructions on using snappy-debug can be found here.
Just as the information you provided for physical-memory-observe helped us determine that it wasn’t really necessary, it might also help us if you could provide more insight into why you need hardware-observe, network-observe, system-observe, and mount-observe.
Here is the log without those connections:
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Aug 10 18:35:31
Log: apparmor="DENIED" operation="capable" profile="/snap/core/9665/usr/lib/snapd/snap-confine" pid=5031 comm="snap-confine" capability=4 capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly
= AppArmor =
Time: Aug 10 18:35:35
Log: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus." member="GetManagedObjects" mask="send" name="org.bluez" pid=5031 label="snap.appspace-app.appspace-app" peer_pid=1117 peer_label="unconfined"
DBus access
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/ip" pid=5322 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/ip" pid=5328 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/ip" pid=5330 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/addr_assign_type" pid=5332 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/addr_assign_type (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/addr_assign_type'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/address" pid=5333 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/address (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/address'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/addr_len" pid=5334 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/addr_len (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/addr_len'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/broadcast" pid=5335 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/broadcast (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/broadcast'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/carrier" pid=5336 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/carrier (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/carrier'
= AppArmor =
Time: Aug 10 18:35:38
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/sys/devices/virtual/net/lo/carrier_changes" pid=5337 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/devices/virtual/net/lo/carrier_changes (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/lo/carrier_changes'
= AppArmor =
Time: Aug 10 18:36:00
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/ip" pid=5393 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:05
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/ip" pid=5397 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'
* add one of 'network-control, network-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:05
Log: apparmor="DENIED" operation="open" profile="snap.appspace-app.appspace-app" name="/var/lib/snapd/hostfs/usr/lib/os-release" pid=5401 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /var/lib/snapd/hostfs/usr/lib/os-release (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'system-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:06
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5405 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:07
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5409 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:08
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5413 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:09
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5417 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:10
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5421 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:11
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5425 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:12
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5429 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:13
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5433 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:14
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5437 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:15
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5441 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:16
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5445 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:17
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5449 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:18
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5453 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:19
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5457 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:20
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5461 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:21
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5465 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:22
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5469 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:23
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5473 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:24
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5477 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:25
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5481 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:26
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5485 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:27
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5489 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:28
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5493 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:29
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5497 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:30
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5501 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:31
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5505 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:32
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5509 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:33
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5513 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'
= AppArmor =
Time: Aug 10 18:36:34
Log: apparmor="DENIED" operation="exec" profile="snap.appspace-app.appspace-app" name="/bin/df" pid=5517 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /bin/df (exec)
Suggestions:
* adjust snap to ship 'df'
* adjust program to use relative paths if the snap already ships 'df'
* add one of 'mount-observe' to 'plugs'+1 from me for auto-connect of shutdown pending publisher vetting is done by the @advocacy team.
+1 from me for auto-connect of network-observe, system-observe, and mount-observe.
-1 from me for auto-connect of hardware-observe. I didn’t see anything in that log that indicates hardware-observe is required.
+2 for, 0 against, 0 abstained for auto-connect of shutdown pending publisher vetting.
+2 for, 0 against, 0 abstained for auto-connect of network-observe, system-observe, and mount-observe.
+1 for, -1 against, 0 abstained for auto-connect of physical-memory-observe and hardware-observe.
@advocacy, can you please perform publisher vetting?
I’ve applied the auto-connects for network-observe, system-observe, and mount-observe for appspace-apps.
Thank you, @msalvatore.
We have tested appspace-app without hardware-observe and it is still working properly.
We have verified that network-observe , system-observe , and mount-observe is auto-connected once installed appspace-app from beta channel.
So far, the leftover request is shutdown .
Just ping us if you need more information from us.
@iko.darius As part of our vetting process, I reached out directly to appspace via the contact form, but I’ve not seen any reply. Could you chase that up internally please? While I’m aware that you are a member of the org, we need an official confirmation to complete the vetting.
I’ve verified the publisher, +1 from me.
+2 votes for, 0 votes against, publisher verified. Granting auto-connect of shutdown to appspace-app. This is now live.
Thank you.
We have verified that network-observe , system-observe , mount-observe , and shutdown is auto-connected once installed appspace-app from beta channel.