k1412 | Hello, I have a little question. How do we configure network-control for an existing snapd application. I don't find a complete tutorial about it. | 08:14 |
---|---|---|
mup | PR snapd#5886 opened: [testing] [pre-rfc] [wip] split spread in travis <Created by chipaca> <https://github.com/snapcore/snapd/pull/5886> | 09:57 |
=== sgclark_sleeping is now known as sgclark | ||
zyga | k1412: hey, | 12:49 |
zyga | k1412: just add a network-control slot to your snapcraft.yaml file | 12:49 |
zyga | then connect it | 12:49 |
zyga | it grants numerous permissions to setup networking | 12:49 |
k1412 | Hello zyga, it work also if we installed it with snap install anbox --devmode --beta ? Because in this case I not know where is the yaml file exactly | 12:50 |
zyga | k1412: what are you trying to do exactly? | 12:51 |
zyga | are you making a new snap | 12:51 |
zyga | or changing an existing snap? | 12:51 |
k1412 | Changing an existing one, I want launch it isolate in a defined network namespace | 12:52 |
k1412 | zyga: normaly I launch my application with ip netns exec but for snapd it fail with an error so I saw he info about network-control | 12:55 |
zyga | mmm | 12:55 |
zyga | you can repack a snap but I would not recommend to do that | 12:55 |
k1412 | zyga: it look a little compicate when I hear that ^^, maybe the error message can help to understand the issue ? | 12:56 |
zyga | k1412: snapd doesn't use network namespaces | 12:56 |
zyga | so you should be able to just wrap the whole thing with a new network namespace | 12:56 |
zyga | and run any snap this way | 12:56 |
k1412 | zyga: this is the error I have when I try to run my snap with ip netns | 12:57 |
k1412 | cannot execute snap-update-ns: Permission denied | 12:57 |
k1412 | snap-update-ns failed with code 1: File exists | 12:57 |
zyga | do you have any apparmor denials in syslog/journald? | 12:58 |
k1412 | I use debian so I think there is maybe a default configuration (this is the command I use for launch it sudo ip netns exec protected sudo -u $USER snap run anbox) | 12:58 |
zyga | what is 'protected'? | 13:00 |
zyga | and what are you trying to achieve? | 13:00 |
zyga | anbox snap is just an installer last time I checked | 13:00 |
zyga | it requires some thighs that may or may not work on Debian (I don't know) | 13:00 |
k1412 | protected is my network namespace I created before, I want be sure that anbox only use the interface that I allow to use (example no connection, vpn, lan network) | 13:02 |
k1412 | zyga: the normal launch (snap run anbox) is working | 13:03 |
zyga | Mmm. I see | 13:12 |
zyga | TBH not sure why it fails | 13:12 |
k1412 | zyga: no issue, i will try to have some answers from firejail too because they have a snapd profile but it look failling too (https://privatebin.net/?299984217221dd99#Iv9/L1Q49cU41it7bVeo2zjRIqKt9mAHD3JO7/SKy00=) | 13:15 |
zyga | Frankly unless you want to jump into kernel and snapd confining snapd is not an easy task | 13:16 |
zyga | Perhaps run it in a VM | 13:16 |
zyga | If you want to investigate what is going on at that level then all the power to you | 13:16 |
zyga | Just want to say it is severely complicated. | 13:16 |
k1412 | I'm not good enough to going so far away ^^ maybe a complete chroot with firejail would be more easy | 13:17 |
zyga | I doubt it | 13:20 |
zyga | Firejail is just another level of apparmor and seccomp | 13:20 |
zyga | So more complexity and kernel interaction | 13:20 |
zyga | And snap changes profiles | 13:20 |
zyga | So unless firejail stacks (and that is a super new feature in apparmor itself) you may effectively NOP | 13:21 |
zyga | Firejail won’t confine snap apps | 13:21 |
zyga | (Again, just a theory) | 13:21 |
k1412 | I will try it to see, it would be a lot of fun ^^ (that is assuming that snapd can work in something like a chroot, I'm already not sure about it) | 13:22 |
zyga | Well, snapd talks to systemd | 13:23 |
zyga | And to the kernel | 13:23 |
zyga | I’m unsure your actions make sense in trying to prevent snapd from affecting your system | 13:24 |
k1412 | It's more that if it can work in a chroot (like another system) I just need to pass my complete chroot to my network namespace (but that is many theory) I will begin to just try to run snap from a chroot and see what happen | 13:26 |
zyga | Snapd can get out of a chroot | 13:27 |
zyga | Choot is not effective confinement | 13:27 |
k1412 | zyga: Ah ? there is a way to test it (in same time so I can try it a little) | 13:28 |
zyga | k1412: test what specifically? | 13:34 |
k1412 | zyga: to exit a chroot with snap | 13:35 |
zyga | k1412: all of those things have complex interactions; it seems you are trying to harden your installation of snapd; to effectively measure if the hardening makes any changes you'd have to know how snapd operates and how the kernel features it uses and (+chroot + fire jail) interact with each other; then you could try to mount an attack to see if the contraption works | 13:35 |
zyga | k1412: snap-confine does this | 13:36 |
zyga | I don't think this is sensible confinement | 13:36 |
zyga | because it deals with sandboxing of apps snapd is not a typical service that can be sandboxed easily | 13:36 |
zyga | the permissions snapd _can_ grant applications are equivalent of sandbox escape in some cases | 13:37 |
zyga | so it's really meaningless to chroot it | 13:37 |
k1412 | I see, to be honnest i just try to find a way to affect it to a network namespace I want but without rebuilding a snap. Maybe you have reason it's maybe more easy to run it in virtualbox and assign virtualbox to a network namespace | 13:38 |
zyga | I don't know why it failed for you in the most straightforward case | 13:38 |
zyga | I'd look at debugging that | 13:38 |
zyga | strace ip setns | 13:39 |
zyga | see what happens | 13:39 |
k1412 | zyga: it look complaining about the uid that is not 0 and think that sudo is maybe with suid or without root rights (it's maybe related when i do sudo -u the second time) | 13:44 |
zyga | it == ip setns? | 13:45 |
k1412 | zyga: snap i can copy paste the log of strace but it's in french, i'm not sure it will help | 13:46 |
zyga | I think I'm too tired to debug that | 13:46 |
k1412 | No issue thanks for giving me some tracks that can help | 13:47 |
erio | :O | 14:59 |
erio | damn | 14:59 |
erio | https://github.com/search?q=depends-on-alsa&type=Code | 14:59 |
erio | https://www.google.com/search?q=%22depends-on-alsa%3A%22+%22snapcraft.yaml%22&oq=%22depends-on-alsa%3A%22+%22snapcraft.yaml%22&aqs=chrome..69i57.10368j0j1&sourceid=chrome&ie=UTF-8 | 15:02 |
erio | anyone here? | 15:31 |
=== matteo| is now known as matteo | ||
erio | :O | 17:30 |
erio | :o | 18:01 |
erio | ? | 18:59 |
mup | PR snapd#5887 opened: tests: moving core-snap-refresh-on-core test from main to nested suite <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/5887> | 20:32 |
erio | could someone explain me wth is stage and wth is prime ? | 20:41 |
erio | the definition in the docs is just awful | 20:41 |
erio | anyone online? | 23:44 |
erio | anyone online? | 23:49 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!