I have just pushed to the store a new snap package that I think should have classic confinement. It is called buttermanager and it is a GUI tool coded in Python 3 and QT5 for managing BTRFS filesystems. It allows to create BTRFS snapshots (something similar to snapper tool), balance filesystems and upgrade the system safetly.
The application needs to check all the filesystems, and it depends on command line programs such as btrfs, findnmt or apt, zypper, dnf, pacman or yaourt for example (it supports Debian, Ubuntu and derivatives, OpenSUSE, Fedora and Arch Linux).
Hi Jamie (@jdstrand ), and thank you for the answer.
I have changed the confinment and added the block-devices interface. This is the snapcraft.yaml file:
name: buttermanager
version: "1.1"
summary: Graphical tool to manage BTRFS filesystems
description: Manage a BTRFS filesystem with this easy to use Graphical User Interface application programmed in Python and QT5. Create BTRFS snapshots, balance filesystems and upgrade the system safetly.
type: app
grade: stable
confinement: strict
apps:
buttermanager:
command: bin/buttermanager.sh
plugs:
- x11
- desktop
- desktop-legacy
- wayland
- unity7
- home
- block-devices
parts:
# Pulls the code from the original source (master branch)
# desktop-qt5 is a snapcraft part (snapcraft-desktop-helpers) from the Wiki: https://wiki.ubuntu.com/snapcraft/parts
# It enables desktop integration for QT5 applications
# Github repository for snapcraft-desktop-helpers: https://github.com/ubuntu/snapcraft-desktop-helpers
buttermanager:
plugin: python
python-version: python3
source: ../
# python3-pyqt5 is necessary for the application to run because PyQT5 has been used to code ButterManager
# The rest of the python dependencies are not necessary because they will be included
# when setup.py is executed by python snapcraft plugin
stage-packages:
- btrfs-tools
- python3-pyqt5
after: [desktop-qt5]
# It will copy all the Python code needed for running the application
# into buttermanager directory
structure:
plugin: dump
source: ../buttermanager
organize:
'*': buttermanager/
# It will copy buttermanager script into /bin/
# This script contains all the commands needed to execute the application
wrapper:
plugin: dump
source: scripts
I have rebuilt the snap package and installed on Ubuntu 19.10 with a BTRFS filesystem. After installing the snap, I have connected the plug and slot:
And I have run the application. Nevertheless, the next error is thrown:
…
…
Traceback (most recent call last):
File “buttermanager.py”, line 103, in load_main_window
ButtermanagerMainWindow(self)
File “buttermanager.py”, line 131, in init
self.init_ui()
File “buttermanager.py”, line 184, in init_ui
uuid_filesystems = filesystem.filesystem.get_btrfs_filesystems()
File “/snap/buttermanager/x1/buttermanager/filesystem/filesystem.py”, line 298, in get_btrfs_filesystems
commandline_output = util.utils.execute_command(command, root=True)
File “/snap/buttermanager/x1/buttermanager/util/utils.py”, line 181, in execute_command
if exist_program(single_command, root=root):
File “/snap/buttermanager/x1/buttermanager/util/utils.py”, line 301, in exist_program
result = subprocess.Popen(command.split(), stdin=echo.stdout, stdout=subprocess.PIPE)
File “/snap/buttermanager/x1/usr/lib/python3.5/subprocess.py”, line 947, in init
restore_signals, start_new_session)
File “/snap/buttermanager/x1/usr/lib/python3.5/subprocess.py”, line 1551, in _execute_child
raise child_exception_type(errno_num, err_msg)
PermissionError: [Errno 13] Permission denied
Aborted (core dumped)
As you can see, there is a permission denied error, and I think it is caused in line 298 of filesystem.sy python module. It is trying to execute “sudo -S btrfs filesystem show” command and it fails. I think this is the problem. This application needs to execute several commands (basically it is a GUI wrapper for commands you can use to manage and display BTRFS filesystems). Is there any interface I can do for achieving this or the only solution is classic confinement?
Yes, this is the problem. snaps are not allowed to use sudo, but you can use sudo with a snap (sudo yoursnap.cmd). You will want to adjust your program to not call sudo.
I’ve been testing the solution you have proposed, but I have reached a dead end again.
I have removed all the sudo commands from the source code. I have created a new branch called snap in GitHub for testing this.
The first attempt was to run the snap package using sudo as you suggested. This is the result:
egarcia@ubuntudesk:~/Development/git/buttermanager/snap$ sudo buttermanager
mkdir: cannot create directory '/run/user/0': Permission denied
No protocol specified
QXcbConnection: Could not connect to display :0
Aborted (core dumped)
Then, I tried another idea. I included sudo as a stage-package in snapcraft.yaml
name: buttermanager
version: "1.2"
summary: Graphical tool to manage BTRFS filesystems
description: Manage a BTRFS filesystem with this easy to use Graphical User Interface application programmed in Python and QT5. Create BTRFS snapshots, balance filesystems and upgrade the system safetly.
type: app
grade: stable
confinement: strict
apps:
buttermanager:
command: bin/buttermanager.sh
plugs:
- x11
- desktop
- desktop-legacy
- wayland
- unity7
- home
- block-devices
parts:
# Pulls the code from the original source (master branch)
# desktop-qt5 is a snapcraft part (snapcraft-desktop-helpers) from the Wiki: https://wiki.ubuntu.com/snapcraft/parts
# It enables desktop integration for QT5 applications
# Github repository for snapcraft-desktop-helpers: https://github.com/ubuntu/snapcraft-desktop-helpers
buttermanager:
plugin: python
python-version: python3
source: ../
# python3-pyqt5 is necessary for the application to run because PyQT5 has been used to code ButterManager
# The rest of the python dependencies are not necessary because they will be included
# when setup.py is executed by python snapcraft plugin
stage-packages:
- sudo
- btrfs-tools
- python3-pyqt5
after: [desktop-qt5]
# It will copy all the Python code needed for running the application
# into buttermanager directory
structure:
plugin: dump
source: ../buttermanager
organize:
'*': buttermanager/
# It will copy buttermanager script into /bin/
# This script contains all the commands needed to execute the application
wrapper:
plugin: dump
source: scripts
I modified the init script buttermanager.sh:
#!/bin/sh
# Script for snap packaging ButterManager application. It is not related to the code itself
# Home will be /home/user/snap/buttermanager/current
export HOME=$SNAP_USER_DATA
# First, it is necessary to go to the directory where all the code is stored, i.e. /buttermanager
cd $SNAP/buttermanager
# Then, the main file is executed using desktop-launh wrapper
# Please, note that the paths are absolute because this is a snap in classic confinement mode
$SNAP/usr/bin/sudo $SNAP/bin/desktop-launch $SNAP/usr/bin/python3 buttermanager.py
But no luck:
egarcia@ubuntudesk:~/Development/git/buttermanager/snap$ buttermanager
sudo: /snap/buttermanager/x1/usr/bin/sudo must be owned by uid 0 and have the setuid bit set
I tried to run the snap package with sudo also:
egarcia@ubuntudesk:~/Development/git/buttermanager/snap$ sudo buttermanager
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
Nevertheless, I think this solution (I mean, removing sudo from the commands within the application) wouldn’t be complete. If ButterManager is executed in Arch for example, it should use pacman for upgrading the system and, in order to execute pacman in a strict confinement, I think it would be necessary to include pacman as a stage-package, right? This package is not available on Ubuntu, so I think I couldn’t include it as a stage package.
Don’t you think the only solution here is a classic confinement?
This is: https://bugs.launchpad.net/snappy/+bug/1656340. You can work around it by created /run/user/0, but it sounds like the way your application is designed is that the GUI runs unprivileged and then it calls out via sudo for various privileged commands as a means to avoid running the GUI as root. I don’t know if there are polkit APIs for the things you are running as root, but that is probably outside of this discussion.
Yes, but this is a very interesting comment which I missed from your initial request (sorry). We typically do not allow snaps in the store that require using native package managers that install native packages to function. Is the package manager support core functionality to your snap or just a means to ensure that your snap has what it needs?
Assuming you use them to install things your snap needs (eg, btrfs tools), then what you would typically do is bundle everything you need in your snap (eg, via stage-packages or building from source) instead of calling out to the native package managers. In this manner your snap can use a consistent set of tools which should make it more robust (regardless of if you use classic confinement).
Assuming that is addressed, I’m most interested in understanding the commands you run as sudo to better understand if the commands you are calling out to are supported by snapd (or if we can add the support) since if they can, then the path forward for strict mode would be:
run a root daemon command in your snap then have your GUI connect to it over IPC (eg, a named socket) and have this daemon run the privileged commands on behalf of your snap. You would definitely want to implement some sort of authentication mechanism so that non-snap processes in your users’ sessions couldn’t just use the socket. Then you adjust your sudo calls to use some client command for talking over IPC to the root daemon (you could even name this ‘sudo’ within your snap so your gui code doesn’t have to change)
remove use of native package managers
I realize this is a potentially lot of work, so before you do any of that, revert your sudo changes and install your snap with --devmode (this uses the same runtime environment and mount namespace as strict mode, but policy denials logged but otherwise allowed (including use of sudo)). Then use your snap like normal and paste/attach the output of sudo journalctl | grep audit for any policy violations that pertain to your usage of the snap. In this manner I can better determine if your snap can be made strict or not.
Depending on the outcome of that, we can reconsider granting your snap classic confinement (again, provided the use of native package managers is removed) temporarily or permanently as appropriate.
Hi @jdstrand and again, thank you very much for all your time with me. Below, my detailed answer:
ButterManager is a front-end GUI for managing BTRFS filesystems. It depends on command line tools such as btrfs-progs for example. You can create, for instance, a snapshot of a subvolume clicking a button, and it will run “sudo btrfs subvolume create …” command to do that.
But it has a nice feature. One thing you probably want when you have a BTRFS filesystem and upgrade the system is to create a snapshot before running the upgrade process, and delete old snapshots if everythin went OK. If something goes wrong during the upgrade or even after, you can always go back using those snapshots. Because of that, I have included as main functinality, a button to upgrade the system. When you click this button:
ButterManager creates a snapshot before upgrading the system.
ButterManager runs the package manager command in order to perform the upgrade of the packages.
ButterManager removes old snapshots if user configured it.
That is the reason why ButterManager needs to interact with the package manager, in order to run the command to upgrade the system using this package manager. All the dependencies needed for the right functioning of the application are defined within the snapcraft.yaml. But it needs to interact with the package manager of the system (apt in Debian, Ubuntu and derivatives, dnf in RHEL/Fedora and derivatives, pacman in Arch and derivatives…) in order to perform the upgrading process itself.
This is the list of the commands I use under the hood so far:
“sudo -S btrfs filesystem show”
“sudo -S findmnt -nt btrfs”
“sudo -S btrfs filesystem usage”
“sudo -S btrfs balance start”
“sudo -S snap refresh”
“sudo -S zypper -n update”
“sudo -S zypper list-updates”
“sudo -S dnf upgrade --refresh --assumeyes”
“sudo -S dnf check-update”
“sudo -S pacman -Sy”
“sudo -S pacman -Qu”
“sudo -S pacman -Syu --noconfirm”
“sudo -S apt update”
“sudo -S apt upgrade -y”
“sudo -S apt list --upgradable”
“yaourt -Syua --noconfirm”
“yay -Syu --noconfirm”
“trizen -Syua --noconfirm”
“sudo -S btrfs subvolume snapshot -r”
“sudo -S btrfs subvolume delete”
Ok, I edited the snapcraft.yaml because the previous version didn’t work with desktop-qt5 anymore:
name: buttermanager
version: "1.2"
summary: Graphical tool to manage BTRFS filesystems
description: Manage a BTRFS filesystem with this easy to use Graphical User Interface application programmed in Python and QT5. Create BTRFS snapshots, balance filesystems and upgrade the system safetly.
type: app
grade: stable
base: core16
confinement: strict
apps:
buttermanager:
command: bin/buttermanager.sh
environment:
DISABLE_WAYLAND: 1
plugs:
- x11
- desktop
- desktop-legacy
- wayland
- unity7
- home
- block-devices
parts:
# Pulls the code of desktop-qt5 part
desktop-qt5:
build-packages:
- qtbase5-dev
- dpkg-dev
make-parameters:
- FLAVOR=qt5
plugin: make
source: https://github.com/ubuntu/snapcraft-desktop-helpers.git
source-subdir: qt
stage-packages:
- libxkbcommon0
- ttf-ubuntu-font-family
- dmz-cursor-theme
- light-themes
- adwaita-icon-theme
- gnome-themes-standard
- shared-mime-info
- libqt5gui5
- libgdk-pixbuf2.0-0
- libqt5svg5
- appmenu-qt5
- locales-all
# Pulls the code from the original source (master branch)
# desktop-qt5 is a snapcraft part (snapcraft-desktop-helpers) from the Wiki: https://wiki.ubuntu.com/snapcraft/parts
# It enables desktop integration for QT5 applications
# Github repository for snapcraft-desktop-helpers: https://github.com/ubuntu/snapcraft-desktop-helpers
buttermanager:
plugin: python
python-version: python3
source: ./
# python3-pyqt5 is necessary for the application to run because PyQT5 has been used to code ButterManager
# The rest of the python dependencies are not necessary because they will be included
# when setup.py is executed by python snapcraft plugin
stage-packages:
- btrfs-tools
- python3-pyqt5
- python3-yaml
- python3-sip
after: [desktop-qt5]
# It will copy all the Python code needed for running the application
# into buttermanager directory
structure:
plugin: dump
source: ./buttermanager
organize:
'*': buttermanager/
# It will copy buttermanager script into /bin/
# This script contains all the commands needed to execute the application
wrapper:
plugin: dump
source: scripts
I installed ButterManager using --devmode flag and executed normally after connecting block-devices interface. This is the result of sudo journalctl | grep audit
Thanks for the additional info. Most of the policy violations would go away if you plugged (and connected) the hardware-observe and mount-observe interfaces. There is the access for “/etc/” but that may not be fatal to your application.
Did you exercise the application when running the btrfs and findmnt commands? I expected to see more denials, but perhaps block-devices is enough.
However, the package management commands are problematic for a snap that is distributed via the Global store (@pedronis). I appreciate the functionality you provide in your application (though as an administrator I think I’d personally be much more likely to use an application like yours to perform the snapshot, then do the upgrade outside of the application, and then come back to your application if there was a problem).
If you require the package management functionality, it might be better to distribute via a native package manager instead at this time (I’ve cc’d an architect to weigh in if needed).
Otherwise, if the package management functionality were removed, the requirements are understood and your application could be made to be strictly confined. If this is an option for you, I’d like to see the snap advocacy team (@Wimpress, @popey, @Igor or @evan) work with you and determine if classic confinement should be temporarily granted while the details of making your snap strict are worked though.
I have been experimenting with hardware-observe and mount-observe interfaces as suggested, but I still have denials. This is the output of sudo journalctl | grep audit:
abr 06 17:25:17 ubuntibtrfs audit[2362]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.buttermanager" pid=2362 comm="apparmor_parser"
abr 06 17:25:17 ubuntibtrfs kernel: kauditd_printk_skb: 35 callbacks suppressed
abr 06 17:25:17 ubuntibtrfs kernel: audit: type=1400 audit(1554564317.428:47): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.buttermanager" pid=2362 comm="apparmor_parser"
abr 06 17:25:17 ubuntibtrfs audit[2363]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2363 comm="apparmor_parser"
abr 06 17:25:17 ubuntibtrfs kernel: audit: type=1400 audit(1554564317.620:48): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2363 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2372]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2372 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2372]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2372 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.368:49): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2372 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.368:50): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2372 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2374]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2374 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2375]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2375 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.380:51): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2374 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.380:52): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2375 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2381]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2381 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs audit[2383]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2383 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.940:53): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2381 comm="apparmor_parser"
abr 06 17:25:18 ubuntibtrfs kernel: audit: type=1400 audit(1554564318.940:54): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2383 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2389]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2389 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2389]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2389 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs kernel: audit: type=1400 audit(1554564319.180:55): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2389 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs kernel: audit: type=1400 audit(1554564319.180:56): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2389 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2391]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2391 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2392]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2392 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2398]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2398 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2401]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2401 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2407]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2407 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2407]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2407 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2409]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2409 comm="apparmor_parser"
abr 06 17:25:19 ubuntibtrfs audit[2410]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2410 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2416]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2416 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2418]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2418 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2424]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2424 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2424]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2424 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2426]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2426 comm="apparmor_parser"
abr 06 17:25:20 ubuntibtrfs audit[2427]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2427 comm="apparmor_parser"
abr 06 17:25:21 ubuntibtrfs audit[2433]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.buttermanager" pid=2433 comm="apparmor_parser"
abr 06 17:25:21 ubuntibtrfs audit[2434]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2434 comm="apparmor_parser"
abr 06 17:25:22 ubuntibtrfs audit[2440]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2440 comm="apparmor_parser"
abr 06 17:25:22 ubuntibtrfs audit[2440]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2440 comm="apparmor_parser"
abr 06 17:25:22 ubuntibtrfs audit[2442]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2442 comm="apparmor_parser"
abr 06 17:25:22 ubuntibtrfs audit[2443]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2443 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2449]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2449 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2451]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2451 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: kauditd_printk_skb: 20 callbacks suppressed
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.068:77): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2449 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.068:78): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2451 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2457]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2457 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2457]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2457 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.880:79): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2457 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.880:80): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2457 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2459]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2459 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs audit[2460]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2460 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.888:81): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2459 comm="apparmor_parser"
abr 06 17:25:23 ubuntibtrfs kernel: audit: type=1400 audit(1554564323.888:82): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2460 comm="apparmor_parser"
abr 06 17:25:24 ubuntibtrfs audit[2466]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2466 comm="apparmor_parser"
abr 06 17:25:24 ubuntibtrfs kernel: audit: type=1400 audit(1554564324.548:83): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2466 comm="apparmor_parser"
abr 06 17:25:24 ubuntibtrfs audit[2468]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2468 comm="apparmor_parser"
abr 06 17:25:24 ubuntibtrfs kernel: audit: type=1400 audit(1554564324.560:84): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2468 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs audit[2497]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2497 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs audit[2497]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2497 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs audit[2499]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2499 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs audit[2500]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2500 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs kernel: audit: type=1400 audit(1554564355.480:85): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2497 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs kernel: audit: type=1400 audit(1554564355.480:86): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2497 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs kernel: audit: type=1400 audit(1554564355.480:87): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2499 comm="apparmor_parser"
abr 06 17:25:55 ubuntibtrfs kernel: audit: type=1400 audit(1554564355.480:88): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2500 comm="apparmor_parser"
abr 06 17:25:56 ubuntibtrfs audit[2579]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2579 comm="apparmor_parser"
abr 06 17:25:56 ubuntibtrfs audit[2581]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2581 comm="apparmor_parser"
abr 06 17:25:56 ubuntibtrfs kernel: audit: type=1400 audit(1554564356.768:89): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2579 comm="apparmor_parser"
abr 06 17:25:56 ubuntibtrfs kernel: audit: type=1400 audit(1554564356.768:90): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2581 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2638]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2638 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2638]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2638 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.164:91): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2638 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.164:92): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2638 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2640]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2640 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2641]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2641 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.180:93): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2640 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.180:94): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2641 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2647]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2647 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs audit[2649]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2649 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.628:95): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2647 comm="apparmor_parser"
abr 06 17:26:35 ubuntibtrfs kernel: audit: type=1400 audit(1554564395.628:96): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2649 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2674]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2674 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2674]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2674 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2676]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2676 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.228:97): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine" pid=2674 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.228:98): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/core/6673/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=2674 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.228:99): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=2676 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2677]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2677 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.240:100): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.core.hook.configure" pid=2677 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2683]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2683 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs audit[2685]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2685 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.588:101): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.buttermanager.buttermanager" pid=2683 comm="apparmor_parser"
abr 06 17:26:52 ubuntibtrfs kernel: audit: type=1400 audit(1554564412.588:102): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.buttermanager" pid=2685 comm="apparmor_parser"
abr 06 17:27:25 ubuntibtrfs audit[2981]: AVC apparmor="DENIED" operation="open" profile="snap.buttermanager.buttermanager" name="/etc/" pid=2981 comm="btrfs" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
abr 06 17:27:25 ubuntibtrfs kernel: audit: type=1400 audit(1554564445.428:103): apparmor="DENIED" operation="open" profile="snap.buttermanager.buttermanager" name="/etc/" pid=2981 comm="btrfs" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
At the end a DENIED can be seen, and I think it is at the beginning of the application, when it starts and try to execute sudo -S btrfs filesystem show.
I understand the problem and the restrictions you have defined for snap packages. What would be the next steps? Wait for the answer of @pedronis?
I’m not very sure about this, I mean, the possibility to upgrade the system doing automatic snapshots management via ButterManager is the main functionality of the application. If I have to remove this feature could I have 2 different “versions” for the application? I mean, the basic one published on the store with limited features and a full version downloadable from my GitHub repository which should be installed manually by the user?
Do you think it would be a feasible solution to this problem?
Thank you very much for your help and your time again! I appreciate it very much.
Ah, this is the key point for the whole conversation since it will require classic confinement for the foreseeable future and thus far we’ve not allowed snaps that require use of the package management commands are problematic for a snap that is distributed via the Global store.
@pedronis - at this point, the current guidelines dictate that the request be denied. I will point out that the application isn’t meant to install arbitrary applications and instead only manage upgrades. We can’t enforce that at this time (though in the medium to long term, this may become possible with some future apparmor work), but it is a slightly different angle than other requests that use package managers. At this point, I am going to leave this request alone unless you feel otherwise.
@eloy.garcia.pca - thank you for working through this with us. If you have more details for @pedronis, feel free to add them.
Thank you very much for your time and tips. If at some point the main guidelines of the store allow this kind of features for snap packages maybe we could re-open this issue.
Thanks, I don’t think I’m going to override. There are also some other issues:
ATM we don’t have ways to mark a snap non installable on some distros supported by snapd, and actually would not like to encourage that. So there might be an awkward situation where such a snap can be installed somewhere but it doesn’t support to operate the local package manager available there. This might be only theoretical but is worth keeping in mind.
It feels slightly more proper that the distros be involved packaging something that operates/integrates with their package manager.