Snap Core Slot for blkid

lopezem · May 4, 2021, 8:05pm

I’m running a snap that requires the command blkid to extract a uuid. I have the permission for this snap’s plug to connect to the core:block-devices but apparmor keeps denying me access. I also see that I can list the uuid files in /dev/disk/by-uuid.

For this particular case it is preferable to run blkid. Am I missing or connected to the wrong slot?

It’s has always been a bit of a challenge to identify the proper snap slot to connect to whenever I have these permission errors. Are there any suggestions?

bugraaydogar · May 4, 2021, 9:17pm

Hi,

By looking at the interfaces defined in snapd, I couldn’t see any interfaces that define access to /dev/disk. But, maybe I just missed that and you could always check it by using snappy-debug snap.

In Desktop, please install,
snap install snappy-debug

Before running your application run the following command in another terminal;
sudo journalctl --output=short --follow --all | sudo snappy-debug

snappy-debug would suggest you an interface if there is.

mborzecki · May 5, 2021, 5:30am

Can you paste the exact apparmor denial that you see?

nayan · May 8, 2024, 2:11pm

= AppArmor = Time: May 08 13:48:09 Log: apparmor=“DENIED” operation=“exec” profile=“snap.app.mgr” name=“/usr/sbin/blkid” pid=15239 comm=“bash” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0 File: /usr/sbin/blkid (exec) Suggestions:

adjust snap to ship ‘blkid’
adjust program to use relative paths if the snap already ships ‘blkid’

Here is the output from journalctl. I get the same error here. Why is blkid denied with strict confinement in snap? Can I use that with any interface in snap or not?

ogra · May 8, 2024, 6:05pm

~/Devel/branches/snapd:master$ grep blkid interfaces/builtin/*
interfaces/builtin/block_devices.go:# Allow to use blkid to export key=value pairs such as UUID to get block device attributes
interfaces/builtin/block_devices.go:/{,usr/}sbin/blkid ixr,

theoreticallly you should be able to, the interface definitely allows it … does

snap connections <your snap name>

show it being connected ?

nayan · May 13, 2024, 8:44am

Thank you for your response, @ogra. Please find below the contents of the snapcraft.yaml file for the sample app:

snapcraft.yaml

 base: core20
 name: blkidapp
 version: '1.0'
 summary: Blkid snap
 description: |
   This is a simple snap.

 grade: stable
 confinement: strict

 parts:
   blkidapp:
     plugin: dump
     source: .
     organize:
       'test.sh': usr/bin/test

 apps:
   app:
     command: usr/bin/test

The command output is as follows:

root@ubuntu:~$ blkidapp.app
/snap/blkidapp/x1/usr/bin/test: 3: /usr/sbin/blkid: Permission denied

Apparmor Error:

= AppArmor =
Time: May 13 08:36:45
Log: apparmor="DENIED" operation="exec" profile="snap.blkidapp.app" name="/usr/sbin/blkid" pid=16293 comm="test" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/sbin/blkid (exec)
Suggestions:
* adjust snap to ship 'blkid'
* adjust program to use relative paths if the snap already ships 'blkid'

The snapcraft.yaml file does not specify any interface,

root@ubuntu:/home# snap connections blkidapp

produces an empty output when executed.

Could you please provide any suggestions if there is anything I am missing?

ogra · May 13, 2024, 8:56am

So how would you expect that app to gain access to the blkid command then ? You do indeed need to define an interface plug in your snapcraft.yaml and connect it using the snap connect ... command …

(PS: please add three backticks ``` before and after pasted content, that way the formatting stays intact and it stays readable for all of us, i have done that above for this time round)

nayan · May 13, 2024, 9:45am

@ogra, I have included the [block-devices] interface in the snapcraft.yaml file. As a result, I am now able to execute the /usr/bin/blkid command from snap. However, in order to obtain the output of blkid, there are additional interfaces that need to be added. Please share any other suggestions you would like to provide. Thank You.