Hi, I have two question about plugs and strict confinement. (I have currently not much experience in snaps/linux) I have a snap (a tool snap) with a lot of standard tools in it f.e tcpdump, candump, cansend, curl, lsusb etc. and 30 more tools I need in my application. Finally need it working with strict confinement, devmode and classic are no options.
-
Question: How can I figure out which plugs are needed for 30 tools without try and error. For some tools its clear which Plugs are needed but I would like to understand how the plugs can be chosen without trying.
-
My first problem is the TCPDUMP tool
Up to now I worked with confinement: classic and sometimes devmode. So there a less restrictions regarding permissions. But finally i would like to use the snap with strict confinement therefore I need to know the plugs needed by every tool.
First idea was to check tool by tool the needed plugs but it failed with the first tool “tcpdump”. I have a script in my snap, which tests the installed tool. f.e. to test the tcpdump
#!/bin/bash
# Test tcpdump
echo "Test tcpdump"
tcpdump -i eth0 -c 10
echo "Test lsusb..."
lsusb
...
...
I added in this case following plugs to the snap:
- network
- network-bind
- network-control
- network-observe
- process-control
- hardware-observe
- system-observe
In devmode / classic everything works. After building the snap in classic/devmode (with less restrictions) the script started the tcpdump and showed me something. But after switching to “strict” it failed. with following message
toolstest Test tcpdump tcpdump: eth0: You don’t have permission to capture on that device (socket: Operation not permitted)
I have a build script for the snap where I connect plugs which are no autoconnect.
snap connections toolstest
Interface Plug Slot Notes
hardware-observe toolstest:hardware-observe :hardware-observe manual
network toolstest:network :network -
network-bind toolstest:network-bind :network-bind -
network-control toolstest:network-control :network-control manual
network-observe toolstest:network-observe :network-observe manual
process-control toolstest:process-control :process-control manual
system-observe toolstest:system-observe :system-observe manual
My Snap:
name: toolstest # you probably want to 'snapcraft register <name>'
base: core20 # the base snap is the execution environment for this snap
version: '0.1' # just for humans, typically '1.2+git' or '1.3.2'
summary: Test snap to test plugs and sockets necessary
description: |
Test snap to test plugs and sockets necessary
grade: stable # must be 'stable' to release into candidate/stable channels
confinement: strict # use 'strict' once you have the right plugs and slots
# devmode -> no sandbox and and ignore confinement settings
# classic -> full access to system resources
# strict -> access to specific resources
architectures:
- build-on: amd64
run-on: amd64
apps:
toolstest:
command: toolstest.sh
tcpdump:
command: usr/sbin/tcpdump
plugs:
- network
- network-bind
- network-control
- network-observe
- process-control
- hardware-observe
- system-observe
parts:
toolstest:
plugin: dump
source: .
stage:
- run_tcpdump.sh
- toolstest.sh
tcpdump:
plugin: nil
source: .
stage-packages:
- tcpdump
How can I get the TCPDUMP tool working with strict confinement? There is no difference if I start the tcpdump with or without sudo or starting the tcpdump over my script or directly.
- toolstest
- sudo toolstest
- toolstest.tcpdump -i eth0
- sudo toolstest.tcpdump -i eth0
I always get :
Test tcpdump
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)
or
Test tcpdump
tcpdump: Couldn't change to 'tcpdump' uid=109 gid=115: Operation not permitted
BR Stefan