Snap does not have permission to use stage package

vitrical · September 16, 2021, 7:04pm

Hi. I’m new to snaps so please forgive me if I’m doing something stupid. I’ve just successfully packed my nodejs npm plugin snap using snapcraft and it successfully executes and runs properly on ubuntu 20.04 desktop. The problem lies when i install it on my ubuntu-core device. My nodejs app relies on a few apt packages that are defined In my stage-packages list, which looks like this:

stage-packages:
  - net-tools
  - ping

nodejs has no problem spawning arp -a from net-tools when running on my ubuntu desktop device, but when running on my ubuntu core device, I get a permission error:

2021-09-16 18:52 +00:00: (node:1155) UnhandledPromiseRejectionWarning: Error: Command failed: arp -a
2021-09-16 18:52 +00:00: /proc/net/arp: Permission denied

If anyone knows what I am doing wrong here, I would greatly appreciate any input. Thanks.

ogra · September 16, 2021, 8:02pm

just guessing here (got no opportunity to test this atm.) but i think you might need the network-control plug or something similar for this

vitrical · September 17, 2021, 1:53am

Yes, I have these plugs defined in the app:

plugs:
- network
- network-bind
- network-control
- network-manager
- network-observe
- network-setup-observe
- avahi-control
- avahi-observe
- gpio
- hardware-observe
- hostname-control
- io-ports-control
- locale-control
- location-control
- location-observe

ogra · September 17, 2021, 9:22am

that’s a bit overzealous have you also connected all of them ? apart from network and network-bind nothing of these will auto-connect …

it might also help to ssh into a second terminal and run snappy-debug from the snappy-debug snap, that should give you interface suggestions (or show that there is no known interface for a certain access your app tries to make) …

vitrical · September 17, 2021, 3:49pm

I believe the plugs and interfaces are only for snaps. not the apt packages I’m trying to access. At least thats what it seems reading the docs. Do you think classic confinement would be something to consider here?

ogra · September 17, 2021, 3:54pm

you can not install classic confined snaps on Ubuntu Core (and it would fully defeat the purpose of Ubuntu Core, allowing unconfined execution of something)

the error you posted was from accessing something in /proc not from executing a binary …

ssh into your Ubuntu Core box, install the snappy-debug snap and run the shipped snappy-debug command (it will give you instructions what exactly to run on Ubuntu Core) while restarting your app … you should then see suggestions about required interfaces …

vitrical · September 17, 2021, 4:13pm

Ok. When I run snappy-debug I get

ERROR: ‘/var/log/syslog’ does not exist. Redirect journalctl instead. Eg:
ERROR: $ sudo journalctl --output=short --follow --all | sudo snappy-debug

When I run sudo journalctl --output=short --follow --all | sudo snappy-debug I get
kernel.printk_ratelimit = 0

Then nothing really happens after a while. I also checked journalctl, which doesn’t have any snappy debug info either.

vitrical · September 17, 2021, 4:16pm

Ok, It seems I just needed to restart the app. I get the following apparmor logs:

`
= AppArmor =
Time: Sep 17 16:14:25
Log: apparmor=“DENIED” operation=“ptrace” profile=“snap.webknit-device.webknit-device” pid=1403 comm=“ps” requested_mask=“read” denied_mask=“read” peer=“unconfined”
Ptrace: peer=unconfined (read)
Suggestions:

add ‘system-observe’ to ‘plugs’
do nothing if program otherwise works properly

= AppArmor =
Time: Sep 17 16:14:30
Log: apparmor=“DENIED” operation=“open” profile=“snap.webknit-device.webknit-device” name="/proc/1487/net/arp" pid=1487 comm=“arp” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /proc/1487/net/arp (read)
Suggestions:

adjust program to not access ‘@{PROC}/@{pid}/net/arp’
add one of ‘firewall-control, network-control, network-observe’ to ‘plugs’
`

ogra · September 17, 2021, 4:20pm

there you go, follow the suggestions and don’t forget to also connect the plugs with the snap connect ... command after adding them to your app

to see the active connections use:

snap connections webknit-device

vitrical · September 17, 2021, 4:21pm

Ok thanks… Is there any way I can have the snap automatically connect them when running in production?

ogra · September 17, 2021, 4:25pm

for some plugs you can file a store request (in the store-requests category in this forum, look at that category to see examples) …

if you have a brand store for your Ubuntu Core setup, you can also grant overrides in there through the store UI

… and lastly you can also define auto-connections in the gadget.yaml of your Ubuntu Core image at creation time

vitrical · September 17, 2021, 4:28pm

Ok thank you very much! I’ll look into that. Since connecting the network-observe plug it seems to work!