Requesting auto-connect


#1

Requesting auto-connecting interfaces for https://snapcraft.io/gphoto2-eberkund

Also if I could takeover the “gphoto2” namespace since it doesn’t appear to being used that would be nice also.

    plugs: 
      - camera
      - raw-usb 
      - network-control
      - removable-media
      - home

#2

home already autoconnects.

I find it surprising that a photo application requires being able to configure the network via network-control. Why is this needed?

Can you provide more details why the others are required to auto-connect?


#3

That was because of an error where libusb was throwing “unable to initialize libusb: -99”. There was a bug on launchpad somewhere which suggested adding the network-control interface and after I did that the error went away. Unable to find that link now…


#4

Can you snap disconnect that interface and try to reproduce, then add any policy violations from journalctl/syslog? I suspect you only need network and not network-control.


#5

I can confirm it works when network-control is connected and does not work when network-control is disconnected.

Output from grep audit /var/log/syslog:

Mar 26 20:02:10 ubuntu kernel: [17572.048184] kauditd_printk_skb: 5 callbacks suppressed
Mar 26 20:02:10 ubuntu kernel: [17572.048287] audit: type=1400 audit(1553655730.183:306): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48505 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.111469] audit: type=1400 audit(1553655730.247:307): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48506 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.119303] audit: type=1400 audit(1553655730.255:308): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48508 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.119317] audit: type=1400 audit(1553655730.255:309): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48508 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.127153] audit: type=1400 audit(1553655730.263:310): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48510 comm="apparmor_parser"
Mar 26 20:02:10 ubuntu kernel: [17572.127958] audit: type=1400 audit(1553655730.263:311): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48511 comm="apparmor_parser"
Mar 26 20:02:16 ubuntu kernel: [17577.850936] audit: type=1400 audit(1553655735.995:312): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:16 ubuntu kernel: [17577.850945] audit: type=1400 audit(1553655735.995:313): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/proc/48544/mounts" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 20:02:16 ubuntu kernel: [17577.863291] audit: type=1326 audit(1553655736.007:314): auid=1000 uid=1000 gid=1000 ses=4 subj==snap.gphoto2-eberkund.gphoto2 (enforce) pid=48544 comm="gphoto2" exe="/snap/gphoto2-eberkund/x6/usr/bin/gphoto2" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7f700f2fbec7 code=0x50000
Mar 26 20:02:16 ubuntu kernel: [17577.864188] audit: type=1400 audit(1553655736.007:315): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:16 ubuntu kernel: [17577.864940] audit: type=1400 audit(1553655736.007:316): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48544 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:28 ubuntu kernel: [17590.073952] audit: type=1400 audit(1553655748.226:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48618 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.073956] audit: type=1400 audit(1553655748.226:318): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48618 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.079387] audit: type=1400 audit(1553655748.234:319): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48620 comm="apparmor_parser"
Mar 26 20:02:28 ubuntu kernel: [17590.079971] audit: type=1400 audit(1553655748.234:320): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48621 comm="apparmor_parser"
Mar 26 20:02:30 ubuntu kernel: [17592.217798] audit: type=1400 audit(1553655750.393:321): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48732 comm="apparmor_parser"
Mar 26 20:02:30 ubuntu kernel: [17592.227465] audit: type=1400 audit(1553655750.401:322): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48734 comm="apparmor_parser"
Mar 26 20:02:32 ubuntu kernel: [17594.128590] audit: type=1400 audit(1553655752.318:323): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:32 ubuntu kernel: [17594.133305] audit: type=1400 audit(1553655752.322:324): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:32 ubuntu kernel: [17594.133486] audit: type=1400 audit(1553655752.322:325): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48735 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.696496] audit: type=1400 audit(1553655753.894:326): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.700792] audit: type=1400 audit(1553655753.898:327): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:02:33 ubuntu kernel: [17595.700975] audit: type=1400 audit(1553655753.898:328): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/devices/pci0000:00/0000:00:10.0/modalias" pid=48780 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:03:10 ubuntu kernel: [17631.997365] audit: type=1400 audit(1553655790.296:329): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.gphoto2-eberkund.gphoto2" pid=48948 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.005506] audit: type=1400 audit(1553655790.304:330): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.gphoto2-eberkund" pid=48950 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.040357] audit: type=1400 audit(1553655790.336:331): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine" pid=48958 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.040367] audit: type=1400 audit(1553655790.336:332): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6531/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=48958 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.049451] audit: type=1400 audit(1553655790.348:333): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=48960 comm="apparmor_parser"
Mar 26 20:03:10 ubuntu kernel: [17632.050818] audit: type=1400 audit(1553655790.348:334): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=48961 comm="apparmor_parser"
Mar 26 20:03:12 ubuntu kernel: [17634.196237] audit: type=1400 audit(1553655792.502:335): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/etc/fstab" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 26 20:03:12 ubuntu kernel: [17634.196241] audit: type=1400 audit(1553655792.502:336): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/proc/48962/mounts" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Mar 26 20:03:12 ubuntu kernel: [17634.196962] audit: type=1326 audit(1553655792.502:337): auid=1000 uid=1000 gid=1000 ses=4 subj==snap.gphoto2-eberkund.gphoto2 (enforce) pid=48962 comm="gphoto2" exe="/snap/gphoto2-eberkund/x6/usr/bin/gphoto2" sig=0 arch=c000003e syscall=41 compat=0 ip=0x7ff1809ceec7 code=0x50000
Mar 26 20:03:12 ubuntu kernel: [17634.197131] audit: type=1400 audit(1553655792.502:338): apparmor="DENIED" operation="open" profile="snap.gphoto2-eberkund.gphoto2" name="/sys/block/" pid=48962 comm="gphoto2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

#6

You can plug the mount-observe interface for some of these. hardware-observe would cover many of the others. I suspect what network-control is giving you is access to some AF_NETLINK sockets. I suggest removing network-control and trying network and if that doesn’t work, network-observe might (but I would still ask why gphoto2 needs to observe the network).

If network doesn’t work, can you install your snap in devmode (snap install --dangerous --devmode /path/to/you/snap then do snap run --strace gphoto2-eberkund... and exercise your snap then put the output of this command somewhere so I can review what it is doing?


#7

This request cannot proceed without the above.


#8

Hi, your suggestion worked. This is the new set of plugs:

    plugs:
      - camera
      - raw-usb 
      - mount-observe
      - hardware-observe
      - removable-media
      - home

#9

@jdstrand can this been approved now with those changes?