Snapd-control request for jhack

ppasotti · June 1, 2023, 2:05pm

Hello snappers,

the jhack charm vinfo command makes a snapd request over unix socket in order to obtain version information of the juju snap.

The goal is to list some debugging information including the fingerprints of all of the juju-* snaps presently installed on the host.

This is what it looks like when run from sources (or devmode).

When run from the strictly confined snap, that results into an apparmor denial:

Log: apparmor="DENIED" operation="connect" class="file" profile="snap.jhack.jhack" name="/run/snapd.socket" pid=1984061 comm="python3" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

I understand that the snapd-control interface would allow jhack to make such requests. Can you grant jhack the necessary permissions?

ogra · June 1, 2023, 2:17pm

the `snapd-control’ interface is massively powerful and effectively makes your snap own the machine (i.e. allows to circumvent all confinement) …

for security reasons you might be better off to use a system-files interface to gain read access to /var/lib/snapd/state.json and parse it …

alexmurray · June 2, 2023, 1:41am

Indeed - see the similar request Manual review for software-inventory-exporter + auto-connect request for system-files and snapd-control for guidance - snapd-control is not appropriate for this use-case. Also note there is a potential snapd-observe interface in the works as well - https://github.com/snapcore/snapd/pull/12677

ppasotti · June 2, 2023, 6:46am

Aha, good to know… I mean, this is just postponing jhack’s inevitable overtake of the world, but I can see the point. is snapd/state.json guaranteed to be up to date?

ogra · June 2, 2023, 9:44am

it should be, yes (@pedronis may correct me here though in case i’m wrong)

emitorino · June 12, 2023, 8:24pm

@pedronis ping, can you please confirm:

pedronis · June 13, 2023, 7:57am

it’s up-to-date, but it’s not intended to be consumed by outside snapd itself, so I would be -1 on that system-files access. I see two path forwards: either making jhack classic or waiting for snapd-observe.

dclane · June 26, 2023, 1:33am

If the alternates are either confinement: classic or granting snapd-control, I would prefer to +1 snapd-control and when snapd-obvserve is ready we can revoke snapd-control in favour of snapd-observe.

Classic does have the advantage of requiring --classic to install which alerts the user to the power of the snap, so perhaps in this case we do snapd-control but no auto-connect. Could jhack alert the user that they’re required to connect it just for jhack charm vinfo ?

ppasotti · June 26, 2023, 7:21am

yes I think that’s fair. I can catch that specific error and surface the instructions relatively easily.

ppasotti · June 26, 2023, 7:21am

so +1 for snapd-control but no auto-connect from my side.

0xnishit · July 5, 2023, 3:34am

I concur with @dclane’s choice of snapd-control over classic. I support the use of snapd-control temporarily, but we should reduce privileges once snapd-observe is available, and it should be without auto-connect. +1

0xnishit · July 5, 2023, 1:03pm

+2 for, 0 against. Granting the use of snapd-control interface without auto-connect. This is now live

Thanks