firewall-control: required for setting firewall rules. If this interface is not present, tailscaled will crash.
network-control: required for configuring the network and access to /dev/net/tun. Tailscaled needs this to set up networking rules for the wiregard config and such (routing, attaching networks, etc.).
Also requesting approval for sys-devices-virtual-info: a custom system-files read-only interface for files tailscaled needs to determine the platform it’s running on. The requested definition is:
plugs:
sys-devices-virtual-info:
interface: system-files
read:
# tailscale uses this to figure out if running in VM and if so, which Public Cloud
# https://github.com/tailscale/tailscale/blob/65fe0ba7b50928eff53e2750ff2d583e4a33eb7e/util/cloudenv/cloudenv.go#L115-L126
- /sys/class/dmi/id/bios_vendor
- /sys/class/dmi/id/sys_vendor
- /sys/class/dmi/id/product_name
# the above paths appear to be symlinks to the below
- /sys/devices/virtual/dmi/id/bios_vendor
- /sys/devices/virtual/dmi/id/product_name
- /sys/devices/virtual/dmi/id/sys_vendor
+1 from me for auto-connect of both firewall-control and network-control as a VPN application these are both entirely expected and appropriate.
Regarding the system-files instance - AppArmor only deals with the underlying files, not the symlinks to them, so you can remove the symlinks and just leave it with:
Also I think a better name would be sys-devices-virtual-dmi-ids for this interface.
I also wonder if these should be added to the existing system-observe or hardware-observe interfaces?
Finally, I also notice that interfaces like audio-playback include at least sys_vendor and bios_vendor so these are not privileged pieces of information.
Either way, +1 from me for auto-connect of a system-files instance named sys-devices-virtual-dmi-ids for read access to
AppArmor only deals with the underlying files, not the symlinks to them, so you can remove the symlinks and just leave it with:
Ah nice, I was wondering about that. I’m curious about the internals of this, since I would imagine there would be an initial read request sent to the /sys/class/* path.
I also wonder if these should be added to the existing system-observe or hardware-observe interfaces?
Hmm looking at https://snapcraft.io/docs/hardware-observe-interface , it appears that /sys/devices/** is already there - although I guess in this case it makes more sense to have a smaller scoped interface, since it’s only those three files (afaik) that tailscale needs to read.
Hmm actually, I was double checking, and found that the corresponding files under /sys/class/ aren’t necessarily symlinks - for example, this is in an LXD VM, Ubuntu Jammy:
given the vpn functionality of the snap, and the need to access the system files to determine the platform it runs on, +1 from me as well for auto-connecting network-control, firewall-control and sys-devices-virtual-info (read)
+2 votes for, 0 votes against, granting auto-connect of network-control, firewall-control and a system-files instance named sys-devices-virtual-dmi-ids with read permission for