that log obviously only shows the install process … did you also run the snapped app ?
Hi,
when i try to run using
laxman1234@localhost:~$ snap run toggle-rf-states
error: cannot find app “toggle-rf-states” in “toggle-rf-states”
snap info returned
commands:
- toggle-rf-states.toggle
if i run toggle-rf-states.toggle im getting error as below
/snap/toggle-rf-states/x1/command-toggle.wrapper: 4: exec: /snap/toggle-rf-states/x1/…/toggle.sh: not found.
is anything wrong with my snapcraft.yaml?
apps:
toggle:
command: …/toggle.sh
plugs: [network, network-control]
parts:
toggle:
source: .
plugin: nil
what do you expect this to do ? (hint: it does nothing)
try something like:
parts:
toggle:
source: .
plugin: dump
organize:
myscript: usr/bin/myscriptHi,
i made the above change then if i run
$sudo toggle-rf-states.toggle
grep: /sys/class/rfkill/rfkill0/name: Permission denied
grep: /sys/class/rfkill/rfkill1/name: Permission denied
/snap/toggle-rf-states/x1/toggle: 3: /snap/toggle-rf-states/x1/toggle.sh: [[: not found
grep: /sys/class/rfkill/rfkill0/name: Permission denied
grep: /sys/class/rfkill/rfkill1/name: Permission denied
/snap/toggle-rf-states/x1/toggle: 8: /snap/toggle-rf-states/x1/toggle.sh: [[: not found
and i’m pretty sure you will find corresponding apparmor denials in syslog for this …
(the other “[[: not found” is related to the bash specific code as i said above)
ya,
ul 31 13:24:04 localhost /usr/lib/snapd/snapd[1245]: daemon.go:176: DEBUG: uid=1000;@ GET /v2/snaps/toggle-rf-states 5.167ms 200
Jul 31 13:24:26 localhost kernel: [ 4409.805772] audit: type=1400 audit(1501507466.917:54): apparmor=“DENIED” operation=“open” profile=“snap.toggle-rf-states.toggle” name="/sys/devices/virtual/bluetooth/hci0/rfkill0/name" pid=3468 comm=“grep” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
Jul 31 13:24:26 localhost kernel: [ 4409.806819] audit: type=1400 audit(1501507466.917:55): apparmor=“DENIED” operation=“open” profile=“snap.toggle-rf-states.toggle” name="/sys/devices/platform/wcn36xx/ieee80211/phy0/rfkill1/name" pid=3468 comm=“grep” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
1 Like
Can you add to /var/lib/snapd/apparmor/profiles/snap.toggle-rf-states.toggle before the final ‘}’ the following:
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/{,*} r,
Then load the updated policy into the kernel with:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.toggle-rf-states.toggle
and report back if you have any security denials?
(I’ve already submitted the above to an existing PR and a future release of snapd will have the update)
Actually, this is what I’ve submitted:
/sys/class/rfkill/ r,
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/{,**} r,
Hi,
i made above mentioned change then observed below log.
/snap/toggle-rf-states/x1/toggle.sh: 11: /snap/toggle-rf-states/x1/toggle.sh: 1: not found
/snap/toggle-rf-states/x1/toggle.sh: 18: /snap/toggle-rf-states/x1/toggle.sh: cannot create /sys/class/rfkill/rfkill1/state: Permission denied
/snap/toggle-rf-states/x1/toggle.sh: 19: /snap/toggle-rf-states/x1/toggle.sh: cannot create /sys/class/rfkill/rfkill0/state: Permission denied
So the reading from /sys/class/rfkill/rfkill0/name now works, but writing to the state file does not … i guess thats a second apparmor rule needed …
I’ve added this to the PR:
/sys/devices/{pci[0-9]*,platform,virtual}/**/rfkill[0-9]*/state w,
please comment if this addresses the issue.
Hi,
still facing same issue
/snap/toggle-rf-states/x2/toggle.sh: 17: /snap/toggle-rf-states/x2/toggle.sh: cannot create /sys/class/rfkill/rfkill1/state: Permission denied
/snap/toggle-rf-states/x2/toggle.sh: 18: /snap/toggle-rf-states/x2/toggle.sh: cannot create /sys/class/rfkill/rfkill0/state: Permission denied
i guess this should be /sys/class/…
@laxman456 - you added the rule to your profile and loaded it into the kernel ala Wifi and bluetooth on snappy ubuntu on a dragonboard?? If so, can you paste the most recent denial from /var/log/syslog for this access?
/sys/class/rfkill/* are typically symlinks out to /sys/devices. Eg:
$ ls -l /sys/class/rfkill/
total 0
lrwxrwxrwx 1 root root 0 Jul 31 12:37 rfkill0 -> ../../devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/bluetooth/hci0/rfkill0
lrwxrwxrwx 1 root root 0 Jul 31 12:37 rfkill2 -> ../../devices/pci0000:00/0000:00:1c.4/0000:3a:00.0/ieee80211/phy0/rfkill2
Aug 1 13:10:34 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 510 on Do: Mount snap “toggle-rf-states” (unset)
Aug 1 13:10:34 localhost systemd[1]: Reloading.
Aug 1 13:10:35 localhost systemd[1]: Reloading.
Aug 1 13:10:35 localhost systemd[1]: Mounting Mount unit for toggle-rf-states…
Aug 1 13:10:35 localhost systemd-udevd[616]: Network interface NamePolicy= disabled on kernel command line, ignoring.
Aug 1 13:10:35 localhost systemd[1]: Mounted Mount unit for toggle-rf-states.
Aug 1 13:10:35 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 511 on Do: Copy snap “toggle-rf-states” data
Aug 1 13:10:35 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 512 on Do: Setup snap “toggle-rf-states” (unset) security profiles
Aug 1 13:10:36 localhost kernel: [27139.086826] audit: type=1400 audit(1501593036.804:108): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6030 comm=“apparmor_parser”
Aug 1 13:10:36 localhost kernel: [27139.181732] audit: type=1400 audit(1501593036.896:109): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.core.hook.configure” pid=6037 comm=“apparmor_parser”
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 513 on Do: Make snap “toggle-rf-states” (unset) available to the system
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 514 on Do: Setup snap “toggle-rf-states” (unset) security profiles (phase 2)
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 515 on Do: Set automatic aliases for snap “toggle-rf-states”
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 516 on Do: Setup snap “toggle-rf-states” aliases
Aug 1 13:10:37 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 517 on Do: Start snap “toggle-rf-states” (unset) services
Aug 1 13:10:38 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 518 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:10:38 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 4.883ms 200
Aug 1 13:11:37 localhost kernel: [27200.121192] audit: type=1400 audit(1501593097.836:110): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6078 comm=“apparmor_parser”
Aug 1 13:12:00 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:13:30 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
There is no apparmor denial in that paste. Are you running the command as non-root?
Aug 1 13:18:19 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 533 on Do: Setup snap “toggle-rf-states” aliases
Aug 1 13:18:19 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 534 on Do: Start snap “toggle-rf-states” (unset) services
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 535 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 3.509ms 200
Aug 1 13:18:36 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:20:06 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:19:08 localhost kernel: [27651.027914] audit: type=1400 audit(1501593548.744:114): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6354 comm=“apparmor_parser”
Aug 1 13:20:15 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:21:45 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:20:15 localhost kernel: [27718.208073] audit: type=1400 audit(1501593615.924:115): apparmor=“DENIED” operation=“capable” profile=“snap.toggle-rf-states.toggle” pid=6391 comm=“toggle.sh” capability=12 capname=“net_admin”
if i run with sudo then
/snap/toggle-rf-states/x1/toggle.sh: 11: /snap/toggle-rf-states/x1/toggle.sh: 1: not found
sh: echo: I/O error
sh: echo: I/O error
and syslog
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: taskrunner.go:367: DEBUG: Running task 535 on Do: Run configure hook of “toggle-rf-states” snap if present
Aug 1 13:18:20 localhost /usr/lib/snapd/snapd[1247]: daemon.go:176: DEBUG: uid=0;@ GET /v2/snaps?snaps=toggle-rf-states 3.509ms 200
Aug 1 13:18:36 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:20:06 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:19:08 localhost kernel: [27651.027914] audit: type=1400 audit(1501593548.744:114): apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.toggle-rf-states.toggle” pid=6354 comm=“apparmor_parser”
Aug 1 13:20:15 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:21:45 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
Aug 1 13:20:15 localhost kernel: [27718.208073] audit: type=1400 audit(1501593615.924:115): apparmor=“DENIED” operation=“capable” profile=“snap.toggle-rf-states.toggle” pid=6391 comm=“toggle.sh” capability=12 capname=“net_admin”
Aug 1 13:22:14 localhost rsyslogd-2007: action ‘action 10’ suspended, next retry is Tue Aug 1 13:23:44 2017 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
This indicates that the network-control interface is not connected. Can you connect the interface? Doing that will remove your newly added rfkill rules, so after connecting the interface, can you add back the rfkill rules and try again?