Hi snap team,
I am trying to put a snap oneshot service in my core24 gadget snap which calls /usr/sbin/ethtool to re-configure the network interface on boot, and need some advice.
I tried to connect the network-control plug but still get ‘denied’ by apparmor. I am guessing I might need the rule
/{,usr/}{,s}bin/ethtool ixr,
in the network-control interface, but I am not sure if a PR is the correct way to go?
A little background:
I am working on a custom platform whose SoC supports Ethernet speed 1000baseT/Full but the integrated system does not support the speed (hardware limitation). Customer would like to disable 1000baseT/Full speed advertising during Ethernet speed auto-negotiation to reduce the link set up time.
The network interface uses the Intel kernel driver igb, which seems to have no driver on-load option to configure the speed advertisement. Instead, it supports using ethtool as mentioned in the readme.
My approach is to place a snap oneshot service to execute the command:
/usr/sbin/ethtool -s enp2s0 advertise 0x00f
However, even with the plug network-control is connected, executing the script still result in the error:
Sep 24 14:17:37 localhost kernel: audit: type=1400 audit(1758723457.394:207): apparmor="DENIED" operation="exec" class="file" profile="snap.mygadget.config-eth-speed" name="/usr/sbin/ethtool" pid=8393 comm="config-eth" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
It seems to work after I manually added the rule to allow accessing ‘ethtool’ in the ‘network-control’ interface, and tested with a local built snapd. Wondering if it is safe to do so.
Code snippet as reference:
snapcraft.yaml
parts:
config-eth-speed:
plugin: dump
source: config-eth-speed
prime:
- usr/sbin/config-eth-speed.sh
apps:
config-eth-speed:
command: usr/sbin/config-eth-speed.sh
daemon: oneshot
plugs:
- network-control
config-eth-speed/usr/sbin/config-eth-speed.sh
#!/bin/sh
set -x
/usr/sbin/ethtool -s enp2s0 advertise 0x00f
Sorry for the long description.
