snap interface (plugs) matching

[Jamie Strandboge]

On Thu, 2016-07-21 at 10:26 -0700, Martin Winter wrote:
> I’m running into a weird issue here while trying to get the correct 
> plugs added and they don’t seem to get detected/parsed correctly:
> 
> My snapcraft.yaml looks like this (extract for a simple process only):
> 
> 	[…]
> 	apps:
> 	    ospf6d:
> 	        command: bin/ospf6d-service
> 	        daemon: simple
> 	        plugs:
> 	            - firewall-control
> 	            - network
> 	            - network-bind
> 	            - network-control
> 	            - network-observe
> 	[…]
> 
> But when I run the program, I still get the following error:
> (with snappy-debug.security scanlog quagga)
> 
> 	= AppArmor =
> 	Time: Jul 21 10:13:38
> 	Log: apparmor="DENIED" operation="create" profile="snap.quagga.ospf6d" 
> pid=20622 comm="ospf6d" family="inet6" sock_type="raw" protocol=89 
> requested_mask="create" denied_mask="create"
> 	Suggestion:
> 	* add one of 'firewall-control, network-control, network-observe' to 
> 'plugs'
> 
> Looking at the interfaces with the snap command, I see the following:
> 
> # snap interfaces
> Slot                 Plug
> :camera              -
> :cups-control        -
> :firewall-control    -
> :gsettings           -
> :home                -
> :locale-control      -
> :log-observe         snappy-debug
> :modem-manager       -
> :mount-observe       -
> :network             quagga
> :network-bind        quagga
> :network-control     -
> :network-manager     -
> :network-observe     -
> :opengl              -
> :optical-drive       -
> :ppp                 -
> :pulseaudio          -
> :snapd-control       -
> :system-observe      -
> :timeserver-control  -
> :timezone-control    -
> :unity7              -
> :x11                 -
> -                    quagga:firewall-control
> -                    quagga:network-control
> -                    quagga:network-observe
> 
> 
> Question:
> 
> Why is firewall-control / network-control / network-observe not 
> correctly detected? It looks like it gets prefixed by “quagga:” and 
> not assigned the correct Slot.
> 
> (This is Ubuntu 16.04, Snapcraft 2.12, snap 2.0.10)
> 

They are detected but not automatically connected because firewall-control,
network-control and network-observe give privileged access to the system. After
install, you should do:

$ sudo snap connect quagga:firewall-control ubuntu-core:firewall-control
$ sudo snap connect quagga:network-control ubuntu-core:network-control
$ sudo snap connect quagga:network-observe ubuntu-core:network-observe

Once done, this will be remembered on upgrades (but not remove/install). AIUI
the snappy team is discussing how to make this easier and discoverable. This was
also discussed a bit here: https://lists.ubuntu.com/archives/snapcraft/2016-July
/000416.html

Side note for those interested in cross-distro: AIUI, at some point 'ubuntu-
core' will both not be required in the command (ie, use ':firewall-control') and
'ubuntu-core' will be renamed to not include 'ubuntu' (ie, use '<TBD>:firewall-
control').

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160721/8ab23858/attachment.sig>