Testing a snap for lnav (log file navigator), publishing

Simos Xenitellis simos.lists at googlemail.com
Thu Feb 2 17:00:35 UTC 2017 

On Thu, Feb 2, 2017 at 3:25 PM, Oliver Grawert <ogra at ubuntu.com> wrote:
> hi,
> Am Donnerstag, den 02.02.2017, 15:11 +0200 schrieb Simos Xenitellis:
>> Hi All,
>>
>> I created a snap for lnav and I attach the snapcraft.yaml file.
>>
>> I plan to use the "classic" confinement in the final version.
>> Would that be advisable or should I change to permit only to open log
>> files from /var/log/?
>>
>> According to the documentation, I am asking here for comments (so as
>> to appear later in the  stable channel).
>>
> there is a log-observe interface that should give you access, so you
> should be able to use strict confinement and this interface.
>

Thanks both for the replies.

Here is my attempt to confine "lnav" into the "strict" confinement
(attached file).

I added the interface "log-observe". Once the snap has been installed,
it is required to run once the following command:

sudo snap connect lnav:log-observe core:log-observe

Then, "lnav" works just fine.

In addition, I added the interface "network". This is due to to lnav
opening a UNIX domain socket,
and using the "sendto()" system call.
The logs were:

= Seccomp =
Time: Feb  2 15:31:51
Log: auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=15616
comm="lnav" exe="/snap/lnav/x1/bin/lnav" sig=31 arch=c000003e
44(sendto) compat=0 ip=0x7f6d8a5d699d code=0x0
Syscall: sendto
Suggestion:
* add one of 'avahi-observe, cups-control, firewall-control,
gsettings, libvirt, modem-manager, mpris, network, network-bind,
network-control, network-manager, ofono, openvswitch, pulseaudio,
screen-inhibit-control, shutdown, system-observe, time-control,
timeserver-control, timezone-control, unity7, upower-observe' to
'plugs'

On Thu, Feb 2, 2017 at 3:14 PM, Mark Shuttleworth <mark at ubuntu.com> wrote:
>
> In general, strict confinement is better. In this case, if you are confident
> that the logs which matter will be in /var/log, then yes it would be better
> to have strict confinement with an interface that allows reading from that
> location.
>

I had a better look into "lnav". As a tool, it has all sort of
features. For example,

Options:
  -I path    An additional configuration directory.
  -i         Install the given format files and exit.  Pass 'extra'
             to install the default set of third-party formats.
  -u         Update formats installed from git repositories.

Both "-i extra" and "-u" are spawning "git", which means there is a
dependency on git.
Here is how it looks:

$ lnav -u
Updating formats in /home/user/snap/lnav/x2/.lnav/formats/*
sh: 1: git: not found

In terms of security, lnav is a tool for system administrators. Therefore,
it is good if lnav could work confined. A specially crafted logfile
might be able to execute code.


All in all, I am all for making a confined "lnav" snap with reduced
functionality (no git, no "home" interface to store settings).
My big question is, is it possible to get
    sudo snap connect lnav:log-observe core:log-observe
to autoexecute upon the installation of the snap?

Simos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapcraft.yaml
Type: application/x-yaml
Size: 961 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170202/bf59f795/attachment.bin>

More information about the Snapcraft mailing list