interfaces/bulitin: allow fwupdmgr refresh on fwupd plug

[timchen119]

Need additional privileges to access LVFS server using fwupdmgr refresh, the denied log were:

Oct 28 12:06:53 localhost kernel: [ 167.065734] audit: type=1400 audit(1477656413.664:56): apparmor="DENIED" operation="capable" profile="snap.uefi-fw-tools.fwupdmgr" pid=1396 comm="pool" capability=12 capname="net_admin"
Oct 28 12:06:53 localhost kernel: [ 167.071627] audit: type=1326 audit(1477656413.672:57): auid=1000 uid=0 gid=0 ses=1 pid=1396 comm="pool" exe="/snap/uefi-fw-tools/1/bin/fwupdmgr" sig=31 arch=c000003e syscall=307 compat=0 ip=0x7f9e14cd5e2e code=0x0

[niemeyer]

I'm not quite sure this is sound. The meaning of the plug was being able to talk to fwupd, but now it's granting actual capabilities to the plug holder. What are the details behind this change?

[jdstrand]

At first I was thinking this was fine, but then I got to thinking-- why doesn't the snap simply: plugs: [ network, network-observe ]. Clearly the refresh is pulling stuff from the network (sendmmsg is part of the network interface) and I'm betting it is trying to use ping (which is part of the network-observe interface).

[morphis]

Up to @timchen119 to comment on this.

[timchen119]

@jdstrand does network-observe allow net_admin capability ? Also I thought we want the interface alone can support the fwupd and fwupdmgr tool.

I'm not sure why I didn't catch this error with previous ubuntu core build, fwupdmgr behavior and command were same.

[jdstrand]

@timchen119 - "@jdstrand does network-observe allow net_admin capability ?" - yes.

As for fwupd, it is defined as "Can access snaps providing the fwupd interface which gives privileged access to update UEFI capsule format firmware.". It isn't designed to give network access, to run ping, etc. The network and network-observe interfaces are there for you to use for that sort of thing.

[timchen119]

@jdstrand am I missing something it looks commented out on master: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/network_observe.go#L36

fwupdmgr refresh is a required action to update UEFI firmware from the LVFS, but sure if thats what we want I will use other interfaces in the snap. I can test what you mentioned when I have the machine around. thanks.

[jdstrand]

@timchen119 - hrmm, actually you are right. I was thinking of net_raw for ping and missed that net_admin was commented out. Ok, definitely use 'network' for the seccomp denial, but can you describe why fwupd needs 'net_admin'? 'man capabilities' and looking at CAP_NET_ADMIN may provide some insight.

[timchen119]

@jdstrand after some testing on the machine, add sendmmsg for secomp alone fixed the fwupdmgr refresh issue. There was still net_admin denial in apparmor but it's not crucial for the refresh process. I will re-upload a new version of the uefi-fw-tools snap with the network plug, close this PR as it would not be needed.