snapd

Allow snaps to query interface connection status directly from snapd

Bug #1809708 reported by 林博仁(Buo-ren Lin)
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Wishlist
Unassigned

Bug Description

Detecting whether certain security confinement interface is connected to the snap is not a trivial task:

* Sometimes certain access is granted by multiple interfaces, whether it's available or not didn't indicate whether a certain interface is connected
* One must have a certain level of Apparmor profile knowledge and check out the source code at https://github.com/snapcore/snapd/blob/master/interfaces/builtin to determine the test criterion, not all potential packagers has this kind of experience
* The testing of the connection will trigger security denials in the system log, which may be considered "abnormal" or even "malicious" by the users

As the connection info is already in snapd I would suggest exposing them directly via the `snapctl` command so one can simply write:

```bash
if ! snapctl is-connected _interface_name_; then
    echo "_interface_name_ is not connected!" >&2
fi
```

without caring much the implementation details.

Revision history for this message
林博仁(Buo-ren Lin) (brlin) wrote :

Discussion held at https://forum.snapcraft.io/t/bug-1809708-allow-snaps-to-query-interface-connection-status-directly-from-snapd/9147

Paweł Stołowski (stolowski)
Changed in snapd:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Paweł Stołowski (stolowski) wrote :

I agree some way of interrogating snapctl will be useful. Thank you for the report.

One way around this limation and the problem of probing for effective permissions that you can already use is interface hooks - see https://snapcraft.io/docs/interface-hooks - in with particular with "connect-*" hooks you can keep track of what's connected to your snap.

Revision history for this message
Ian Johnson (anonymouse67) wrote :

In Paris we agreed that this would be `snapctl is-connected <plug-name>` (or slot-name)

Revision history for this message
Paweł Stołowski (stolowski) wrote :

Implemented with https://github.com/snapcore/snapd/pull/7771, should become available with snapd 2.43.

Changed in snapd:
status: Triaged → Fix Committed
林博仁(Buo-ren Lin) (brlin)
Changed in snapd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.