Hooks are not included in slot/plug label expressions

Bug #1851480 reported by glancr team on 2019-11-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Paweł Stołowski

Bug Description

Expected behavior:
If my snap's snapcraft.yaml plugs a scoped interface for a given hook, the hook should be able to access resources provided by this interface.

Actual behavior:
The hook fails with AppArmor denials.

## Context
Hooks do not get access to interfaces if snapd's AppArmor rules for this interface are scoped with security tags. Root cause is that `builtin.AppLabelExpr` only accepts a map of app names (where services are a special kind of app). Therefore, `builtin.{plug,slot}AppLabelExpr` only pass a snap's apps and ignore the snap's hooks – even though my snapcraft.yaml contains plug stanzas for my hooks. This results in `/var/lib/snapd/apparmor/profiles/snap.network-manager.network-manager` containing allowance rules for snap.mysnap.{app1,app2} but not for snap.mysnap.hook.<hook-name>. This causes any interface access within the corresponding hook to fail with AppArmor denials, thus rendering hooks unusable if they require this interface.

Relevant parts of rule generation (exemplary for NM Introspectable):
https://github.com/snapcore/snapd/blob/aebfc2b83d7ac3ec49ff6811ddf8bc8c4c93b92d/interfaces/builtin/network_manager.go#L471

https://github.com/snapcore/snapd/blob/3bf8026a337df1a1c6ed54117fede52e64a786ef/interfaces/builtin/dbus.go#L152

## Reproducing
My snap requires access to the network-manager interface during its post-refresh hook. My snapcraft.yaml has the following entries (Full source at https://gitlab.com/glancr/mirros-one-snap/blob/1.0.3/snap/snapcraft.yaml):

```
hooks:
  install:
    plugs: [network, network-bind]
  post-refresh:
    plugs: [network, network-manager]
  connect-plug-network-manager:
    plugs: [network-manager]
```

Full debugging log: https://paste.ubuntu.com/p/pq29pv6zK8/

John Lenton (chipaca) on 2019-11-07
Changed in snapd:
status: New → Confirmed
John Lenton (chipaca) on 2019-11-07
Changed in snapd:
assignee: nobody → glancr team (glancr)
Changed in snapd:
assignee: glancr team (glancr) → Paweł Stołowski (stolowski)
Changed in snapd:
status: Confirmed → In Progress
importance: Undecided → High
Michael Vogt (mvo) wrote :

This will be fixed in the 2.43 release.

Changed in snapd:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers