interfaces/builtin: silence ptrace denial for network-manager #3427

morphis · Jun 2, 2017

Adding this was recommended by @jdstrand on https://forum.snapcraft.io/t/use-of-nmcli-from-inside-a-snap/822/13 to silence the ptrace denials we still get with the network-manager interface. Adding this explicit denial does not affect the NetworkManager functionality.

zyga · Jun 2, 2017

zyga approved these changes Jun 2, 2017

View changes

+1

jdstrand · Jun 2, 2017

jdstrand approved these changes Jun 2, 2017

View changes

Approving since the rule is correct, but please adjust the comment.

It would be nice if this comment was more specific. Ie:

# Explicitly deny plugging snaps from ptracing the slot to silence noisy
# denials. Neither the NetworkManager service nor nmcli require ptrace
# trace for full functionality.

Updated and included your version of the comment.

jdstrand · Jun 2, 2017

Note, I did recommend this based on the assetion that NM didn't need it, which @morphis states is true. Also, I'll mention we don't typically like to use explicit denies because we can't undo them with later allow rules, but this particular explicit deny is very specific to plugging and slotting apps of this interface, and therefore it shouldn't get in the way of anything else.

codecov-io · Jun 6, 2017

Codecov Report

Merging #3427 into master will increase coverage by <.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3427      +/-   ##
==========================================
+ Coverage   77.55%   77.56%   +<.01%     
==========================================
  Files         371      371              
  Lines       25519    25519              
==========================================
+ Hits        19792    19793       +1     
  Misses       3976     3976              
+ Partials     1751     1750       -1

Impacted Files	Coverage Δ
interfaces/builtin/network_manager.go	`81.57% <ø> (ø)`	⬆️
cmd/snap/cmd_aliases.go	`94% <0%> (-2%)`	⬇️
interfaces/sorting.go	`93.33% <0%> (ø)`	⬆️
overlord/snapstate/snapstate.go	`81.5% <0%> (+0.23%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4543861...f6832b9. Read the comment docs.

@@ -103,6 +103,10 @@ network packet,
          #include <abstractions/nameservice>
+        +# Explicitly deny ptrace. This doesn't influence any NetworkManager
+        +# functionality but silences AppArmor denials in the system log.
+        +deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###,

snapcore/snapd

interfaces/builtin: silence ptrace denial for network-manager #3427

morphis commented Jun 2, 2017

zyga approved these changes Jun 2, 2017

View changes

jdstrand approved these changes Jun 2, 2017

View changes

jdstrand commented Jun 2, 2017

Simon Fels added some commits Jun 2, 2017

codecov-io commented Jun 6, 2017

mvo5 merged commit `915af77` into snapcore:master Jun 6, 2017
6 of 7 checks passed

6 of 7 checks passed

snapcore/snapd

Join GitHub today

interfaces/builtin: silence ptrace denial for network-manager #3427

Conversation

morphis commented Jun 2, 2017

Some checks were not successful

zyga approved these changes Jun 2, 2017 View changes

jdstrand approved these changes Jun 2, 2017 View changes

jdstrand Jun 2, 2017

morphis Jun 2, 2017

jdstrand commented Jun 2, 2017

Simon Fels added some commits Jun 2, 2017

Some checks were not successful

All checks have passed

codecov-io commented Jun 6, 2017

Codecov Report

Hide details View details mvo5 merged commit 915af77 into snapcore:master Jun 6, 2017 6 of 7 checks passed

6 of 7 checks passed

zyga approved these changes Jun 2, 2017

View changes

jdstrand approved these changes Jun 2, 2017

View changes

mvo5 merged commit `915af77` into snapcore:master Jun 6, 2017
6 of 7 checks passed