sandbox denials for snaps on BTLE device

I have tried some interfaces (bluetooth-control, network-control, network-bind) and the snap is getting the same error.

@Pedro: the bluez plugs side does not have "network bluetooth," and you can work around this by adding that to /var/lib/apparmor/profiles/snap.sensortag.sensortag and doing: sudo apparmor_parser -r /var/lib/apparmor/profiles/snap.sensortag.sensortag

I'll talk to Simon to see if he wants that in bluetooth-control or bluez and then we'll get it fixed up.

Is the workaround different for the 16.04 subsystem?

I cannot find /var/lib/apparmor/profiles/snap.sensortag.sensortag

Here is the content of /var/lib/apparmor/profiles:

pcoca@haswell16:/var/lib/apparmor/profiles⟫ ls -lart
total 24
-rw-r--r-- 1 root root 1182 Apr 14 08:56 .apparmor.md5sums
drwxr-xr-x 4 root root 4096 May 16 07:07 ..
-rw-r--r-- 1 root root 6363 May 16 07:08 .apparmor-easyprof-ubuntu.md5sums
-rw-r--r-- 1 root root 656 May 27 09:48 .click-apparmor.md5sums
drwxr-xr-x 2 root root 4096 Aug 16 07:15 .

Whoops, I left out 'snapd', sorry. Here is the path: /var/lib/snapd/apparmor/profiles/snap.sensortag.sensortag

After updating /var/lib/snapd/apparmor/profiles/snap.sensortag.sensortag

with the workaround and do the parsing:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.sensortag.sensortag

I got this messages on syslog:

Aug 16 07:26:56 haswell16 kernel: [29636.850367] audit: type=1400 audit(1471357616.286:247): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.sensortag.sensortag" pid=20737 comm="apparmor_parser"
Aug 16 07:27:33 haswell16 kernel: [29674.098170] audit: type=1400 audit(1471357653.534:248): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.sensortag.sensortag" pid=21262 comm="apparmor_parser"
Aug 16 07:28:12 haswell16 kernel: [29713.462850] audit: type=1326 audit(1471357692.898:249): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=21740 comm="bluepy-helper" exe="/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7fea8016a837 code=0x0
Aug 16 07:28:29 haswell16 kernel: [29730.298677] audit: type=1326 audit(1471357709.734:250): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=21946 comm="bluepy-helper" exe="/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7fb93f535837 code=0x0
Aug 16 07:28:37 haswell16 kernel: [29738.114892] audit: type=1326 audit(1471357717.550:251): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=22040 comm="bluepy-helper" exe="/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7f3d9c846837 code=0x0
Aug 16 07:28:45 haswell16 kernel: [29745.861203] audit: type=1326 audit(1471357725.294:252): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=22142 comm="bluepy-helper" exe="/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7fa23ca7a837 code=0x0

And this error on the snap:

pcoca@haswell16:~/sensortag$ sensortag --all -n1 C4:BE:84:70:A6:0C
Connecting to C4:BE:84:70:A6:0C
Traceback (most recent call last):
  File "/snap/sensortag/9/usr/bin/sensortag", line 9, in <module>
    load_entry_point('bluepy==1.0.5', 'console_scripts', 'sensortag')()
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/sensortag.py", line 417, in main
    tag = SensorTag(arg.host)
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/sensortag.py", line 331, in __init__
    Peripheral.__init__(self,addr)
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/btle.py", line 318, in __init__
    self.connect(deviceAddr, addrType, iface)
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/btle.py", line 363, in connect
    rsp = self._getResp('stat')
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/btle.py", line 334, in _getResp
    resp = self._waitResp(wantType + ['ntfy', 'ind'], timeout)
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/btle.py", line 281, in _waitResp
    resp = BluepyHelper.parseResp(rv)
  File "/snap/sensortag/9/usr/lib/python3/dist-packages/bluepy/btle.py", line 246, in parseResp
    (tag, tval) = item.split('=')
Va...

Discussed 'network bluetooth' with Simon (the author or the bluez and bluetooth-control interfaces) and he said that the bluez interface is only about talking to bluez over dbus and all lowlevel bits like 'network bluetooth' should be in bluetooth-control.

@Pedro, you can 'plugs: [network-bind]' for that denial, but does your snap actually listen on a network port? If not, ping me on irc and we can iterate through what else is needed for bluetooth-control.

After:
- modifying the apparmor profile
AND
- adding the network-bind interface to the plugs list of the snap
the application is now working confined.

Thanks Jamie.

@Pedro - thanks for the feedback!

I suspect sensortag does not actually need to bind to a network port and I'd like to work through the other accesses that bluetooth-control needs. Please ping me on irc when you have a moment. Thanks!

@Pedro - ping

Using just the following interface:
    plugs: [bluetooth-control]

The sensortag in strict mode does not work:

Sep 21 15:21:56 NUC kernel: [25426.260711] audit: type=1400 audit(1474467716.721:142): apparmor="DENIED" operation="create" profile="snap.sensortagbtle.sensortag" pid=21988 comm="bluepy-helper" family="bluetooth" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

Then after:
- Adding to /var/lib/snapd/apparmor/profiles/snap.sensortagbtle.sensortag: 'network bluetooth,'
- Parsing the file: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.sensortagbtle.sensortag

The sensortag is not working:

Sep 21 15:32:12 NUC kernel: [26041.760714] audit: type=1326 audit(1474468332.288:148): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=29734 comm="bluepy-helper" exe="/snap/sensortagbtle/x1/lib/python3.5/site-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7f8d01408837 code=0x0
Sep 21 15:32:17 NUC kernel: [26046.502191] audit: type=1326 audit(1474468337.032:149): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=29799 comm="bluepy-helper" exe="/snap/sensortagbtle/x1/lib/python3.5/site-packages/bluepy/bluepy-helper" sig=31 arch=c000003e syscall=49 compat=0 ip=0x7f88ad155837 code=0x0

After adding the following lines to /var/lib/snapd/seccomp/profiles/snap.sensortagbtle.sensortag

- bind
- getsockopt

The sensortag works, but shows the following DENIED messages on the syslog:

Sep 21 15:43:49 NUC kernel: [26738.533501] audit: type=1400 audit(1474469029.141:156): apparmor="DENIED" operation="create" profile="snap.sensortagbtle.sensortag" pid=6934 comm="bluepy-helper" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"
Sep 21 15:43:59 NUC kernel: [26749.031700] audit: type=1400 audit(1474469039.641:157): apparmor="DENIED" operation="create" profile="snap.sensortagbtle.sensortag" pid=7086 comm="bluepy-helper" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"
Sep 21 15:44:13 NUC kernel: [26762.538264] audit: type=1400 audit(1474469053.149:158): apparmor="DENIED" operation="create" profile="snap.sensortagbtle.sensortag" pid=7265 comm="bluepy-helper" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"
Sep 21 15:44:52 NUC kernel: [26802.086833] audit: type=1400 audit(1474469092.706:159): apparmor="DENIED" operation="create" profile="snap.sensortagbtle.sensortag" pid=7781 comm="bluepy-helper" family="alg" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

@Pedro - thanks!

I think these ones are because the bluetooth-control interface is not connected. Please run:

$ sudo snap connect sensortagbtle:bluetooth-control ubuntu-core:bluetooth-control

This will regenerate the security policy, so you'll have to re-add 'getsockopt' to /var/lib/snapd/seccomp/snap.sensortagbtle.sensortag

After you do this, does it operate without denials?

Thank you Jamie!

After:

- Connecting the interface
- Modify the snap.sensortagbtle.sensortag

works without complaining :)

Is there anyway to specify the "getsockopt" seccomp item on the snapcraft.yaml of the sensortag for Ubuntu Core 16 in the fashion of the 15.04 overrides?

@Pedro: "Is there anyway to specify the "getsockopt" seccomp item on the snapcraft.yaml of the sensortag for Ubuntu Core 16 in the fashion of the 15.04 overrides?"

No, but that was why we went through this exercise. I wanted to see how to update the bluetooth-control interface so you didn't have to (though remember, to work around this you can specify 'network-bind' or use devmode until the fix lands on your device).

Thanks for your help! :)

Hello Pedro, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hi Andy,

Sorry for the late response, but I am on a sprint that we just finished today.

The sensortag snap works using the interfaces network-bind and bluetooth-control, just with the bluetooth-control is not working giving this error:

sudo sensortag-test.sensortag --all -n 1 A0:E6:F8:B6:E7:86
  File "/snap/sensortag-test/x1/lib/python3.5/site-packages/bluepy/sensortag.py", line 417, in main
    tag = SensorTag(arg.host)
  File "/snap/sensortag-test/x1/lib/python3.5/site-packages/bluepy/sensortag.py", line 331, in __init__
    Peripheral.__init__(self,addr)
  File "/snap/sensortag-test/x1/lib/python3.5/site-packages/bluepy/btle.py", line 318, in __init__
    self.connect(deviceAddr, addrType, iface)
  File "/snap/sensortag-test/x1/lib/python3.5/site-packages/bluepy/btle.py", line 367, in connect
    "Failed to connect to peripheral %s, addr type: %s" % (addr, addrType))
bluepy.btle.BTLEException: Failed to connect to peripheral A0:E6:F8:B6:E7:86, addr type: public

Syslog shows this apparmor denial:

Sep 30 16:38:20 haswell16 kernel: [17429.165492] audit: type=1400 audit(1475249900.122:702): apparmor="DENIED" operation="create" profile="snap.sensortag-test.sensortag" pid=15528 comm="bluepy-helper" family="bluetooth" sock_type="seqpacket" protocol=0 requested_mask="create" denied_mask="create"

I have snapd (2.16) running:

1 pcoca@haswell16:~/sensortag⟫ snap --version
snap 2.16
snapd 2.16
series 16
ubuntu 16.04

You can test this with the following snapcraft recipe and a sensortag:

https://github.com/pedrococa/sensortag/blob/master/snapcraft.yaml

Hope if it helps.

Cheers.

This appears to be fixed in 2.16. I was able to:

$ sudo snap connect sensortag:bluetooth-control ubuntu-core:bluetooth-control
$ sudo snap disconnect sensortag:network-bind ubuntu-core:network-bind
$ sensortag --all -n 1 <mac I saw with bluetoothctl>

and saw no denials. If I remove the 'network bluetooth,' rule, I see it. Marking as Fix Released.