Snapd-control request for jhack

Hello snappers,

the jhack charm vinfo command makes a snapd request over unix socket in order to obtain version information of the juju snap.

The goal is to list some debugging information including the fingerprints of all of the juju-* snaps presently installed on the host.

This is what it looks like when run from sources (or devmode). image

When run from the strictly confined snap, that results into an apparmor denial:

Log: apparmor="DENIED" operation="connect" class="file" profile="snap.jhack.jhack" name="/run/snapd.socket" pid=1984061 comm="python3" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

I understand that the snapd-control interface would allow jhack to make such requests. Can you grant jhack the necessary permissions?

the `snapd-control’ interface is massively powerful and effectively makes your snap own the machine (i.e. allows to circumvent all confinement) …

for security reasons you might be better off to use a system-files interface to gain read access to /var/lib/snapd/state.json and parse it …

Indeed - see the similar request Manual review for software-inventory-exporter + auto-connect request for system-files and snapd-control for guidance - snapd-control is not appropriate for this use-case. Also note there is a potential snapd-observe interface in the works as well -

Aha, good to know… I mean, this is just postponing jhack’s inevitable overtake of the world, but I can see the point. is snapd/state.json guaranteed to be up to date?

1 Like

it should be, yes (@pedronis may correct me here though in case i’m wrong)

@pedronis ping, can you please confirm:

it’s up-to-date, but it’s not intended to be consumed by outside snapd itself, so I would be -1 on that system-files access. I see two path forwards: either making jhack classic or waiting for snapd-observe.

If the alternates are either confinement: classic or granting snapd-control, I would prefer to +1 snapd-control and when snapd-obvserve is ready we can revoke snapd-control in favour of snapd-observe.

Classic does have the advantage of requiring --classic to install which alerts the user to the power of the snap, so perhaps in this case we do snapd-control but no auto-connect. Could jhack alert the user that they’re required to connect it just for jhack charm vinfo ?

yes I think that’s fair. I can catch that specific error and surface the instructions relatively easily.

so +1 for snapd-control but no auto-connect from my side.

I concur with @dclane’s choice of snapd-control over classic. I support the use of snapd-control temporarily, but we should reduce privileges once snapd-observe is available, and it should be without auto-connect. +1

1 Like

+2 for, 0 against. Granting the use of snapd-control interface without auto-connect. This is now live


1 Like