[08:14] <k1412> Hello, I have a little question. How do we configure network-control for an existing snapd application. I don't find a complete tutorial about it.
[09:57] <mup> PR snapd#5886 opened: [testing] [pre-rfc] [wip] split spread in travis <Created by chipaca> <https://github.com/snapcore/snapd/pull/5886>
[12:49] <zyga> k1412: hey,
[12:49] <zyga> k1412: just add a network-control slot to your snapcraft.yaml file
[12:49] <zyga> then connect it
[12:49] <zyga> it grants numerous permissions to setup networking
[12:50] <k1412> Hello zyga, it work also if we installed it with snap install anbox --devmode --beta ? Because in this case I not know where is the yaml file exactly
[12:51] <zyga> k1412: what are you trying to do exactly?
[12:51] <zyga> are you making a new snap
[12:51] <zyga> or changing an existing snap?
[12:52] <k1412> Changing an existing one, I want launch it isolate in a defined network namespace
[12:55] <k1412> zyga: normaly I launch my application with ip netns exec but for snapd it fail with an error so I saw he info about network-control
[12:55] <zyga> mmm
[12:55] <zyga> you can repack a snap but I would not recommend to do that
[12:56] <k1412> zyga: it look a little compicate when I hear that ^^, maybe the error message can help to understand the issue ?
[12:56] <zyga> k1412: snapd doesn't use network namespaces
[12:56] <zyga> so you should be able to just wrap the whole thing with a new network namespace
[12:56] <zyga> and run any snap this way
[12:57] <k1412> zyga: this is the error I have when I try to run my snap with ip netns
[12:57] <k1412> cannot execute snap-update-ns: Permission denied
[12:57] <k1412> snap-update-ns failed with code 1: File exists
[12:58] <zyga> do you have any apparmor denials in syslog/journald?
[12:58] <k1412> I use debian so I think there is maybe a default configuration (this is the command I use for launch it sudo ip netns exec protected sudo -u $USER snap run anbox)
[13:00] <zyga> what is 'protected'?
[13:00] <zyga> and what are you trying to achieve?
[13:00] <zyga> anbox snap is just an installer last time I checked
[13:00] <zyga> it requires some thighs that may or may not work on Debian (I don't know)
[13:02] <k1412> protected is my network namespace I created before, I want be sure that anbox only use the interface that I allow to use (example  no connection, vpn, lan network)
[13:03] <k1412> zyga: the normal launch (snap run anbox) is working
[13:12] <zyga> Mmm. I see
[13:12] <zyga> TBH not sure why it fails
[13:15] <k1412> zyga: no issue, i will try to have some answers from firejail too because they have a snapd profile but it look failling too (https://privatebin.net/?299984217221dd99#Iv9/L1Q49cU41it7bVeo2zjRIqKt9mAHD3JO7/SKy00=)
[13:16] <zyga> Frankly unless you want to jump into kernel and snapd confining snapd is not an easy task
[13:16] <zyga> Perhaps run it in a VM
[13:16] <zyga> If you want to investigate what is going on at that level then all the power to you
[13:16] <zyga> Just want to say it is severely complicated.
[13:17] <k1412> I'm not good enough to going so far away ^^ maybe a complete chroot with firejail would be more easy
[13:20] <zyga> I doubt it
[13:20] <zyga> Firejail is just another level of apparmor and seccomp
[13:20] <zyga> So more complexity and kernel interaction
[13:20] <zyga> And snap changes profiles
[13:21] <zyga> So unless firejail stacks (and that is a super new feature in apparmor itself) you may effectively NOP
[13:21] <zyga> Firejail won’t confine snap apps
[13:21] <zyga> (Again, just a theory)
[13:22] <k1412> I will try it to see, it would be a lot of fun ^^ (that is assuming that snapd can work in something like a chroot, I'm already not sure about it)
[13:23] <zyga> Well, snapd talks to systemd
[13:23] <zyga> And to the kernel
[13:24] <zyga> I’m unsure your actions make sense in trying to prevent snapd from affecting your system
[13:26] <k1412> It's more that if it can work in a chroot (like another system) I just need to pass my complete chroot to my network namespace (but that is many theory) I will begin to just try to run snap from a chroot and see what happen
[13:27] <zyga> Snapd can get out of a chroot
[13:27] <zyga> Choot is not effective confinement
[13:28] <k1412> zyga: Ah ? there is a way to test it (in same time so I can try it a little)
[13:34] <zyga> k1412: test what specifically?
[13:35] <k1412> zyga: to exit a chroot with snap
[13:35] <zyga> k1412: all of those things have complex interactions; it seems you are trying to harden your installation of snapd; to effectively measure if the hardening makes any changes you'd have to know how snapd operates and how the kernel features it uses and (+chroot + fire jail) interact with each other; then you could try to mount an attack to see if the contraption works
[13:36] <zyga> k1412: snap-confine does this
[13:36] <zyga> I don't think this is sensible confinement
[13:36] <zyga> because it deals with sandboxing of apps snapd is not a typical service that can be sandboxed easily
[13:37] <zyga> the permissions snapd _can_ grant applications are equivalent of sandbox escape in some cases
[13:37] <zyga> so it's really meaningless to chroot it
[13:38] <k1412> I see, to be honnest i just try to find a way to affect it to a network namespace I want but without rebuilding a snap. Maybe you have reason it's maybe more easy to run it in virtualbox and assign virtualbox to a network namespace
[13:38] <zyga> I don't know why it failed for you in the most straightforward case
[13:38] <zyga> I'd look at debugging that
[13:39] <zyga> strace ip setns
[13:39] <zyga> see what happens
[13:44] <k1412> zyga: it look complaining about the uid that is not 0 and think that sudo is maybe with suid or without root rights (it's maybe related when i do sudo -u the second time)
[13:45] <zyga> it == ip setns?
[13:46] <k1412> zyga: snap i can copy paste the log of strace but it's in french, i'm not sure it will help
[13:46] <zyga> I think I'm too tired to debug that
[13:47] <k1412> No issue thanks for giving me some tracks that can help
[14:59] <erio> :O
[14:59] <erio> damn
[14:59] <erio> https://github.com/search?q=depends-on-alsa&type=Code
[15:02] <erio> https://www.google.com/search?q=%22depends-on-alsa%3A%22+%22snapcraft.yaml%22&oq=%22depends-on-alsa%3A%22+%22snapcraft.yaml%22&aqs=chrome..69i57.10368j0j1&sourceid=chrome&ie=UTF-8
[15:31] <erio> anyone here?
[17:30] <erio> :O
[18:01] <erio> :o
[18:59] <erio> ?
[20:32] <mup> PR snapd#5887 opened: tests: moving core-snap-refresh-on-core test from main to nested suite <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/5887>
[20:41] <erio> could someone explain me wth is stage and wth is prime ?
[20:41] <erio> the definition in the docs is just awful
[23:44] <erio> anyone online?
[23:49] <erio> anyone online?