On Thu, Feb 2, 2017 at 3:25 PM, Oliver Grawert <[email protected]> wrote: > hi, > Am Donnerstag, den 02.02.2017, 15:11 +0200 schrieb Simos Xenitellis: >> Hi All, >> >> I created a snap for lnav and I attach the snapcraft.yaml file. >> >> I plan to use the "classic" confinement in the final version. >> Would that be advisable or should I change to permit only to open log >> files from /var/log/? >> >> According to the documentation, I am asking here for comments (so as >> to appear later in the stable channel). >> > there is a log-observe interface that should give you access, so you > should be able to use strict confinement and this interface. >
Thanks both for the replies. Here is my attempt to confine "lnav" into the "strict" confinement (attached file). I added the interface "log-observe". Once the snap has been installed, it is required to run once the following command: sudo snap connect lnav:log-observe core:log-observe Then, "lnav" works just fine. In addition, I added the interface "network". This is due to to lnav opening a UNIX domain socket, and using the "sendto()" system call. The logs were: = Seccomp = Time: Feb 2 15:31:51 Log: auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=15616 comm="lnav" exe="/snap/lnav/x1/bin/lnav" sig=31 arch=c000003e 44(sendto) compat=0 ip=0x7f6d8a5d699d code=0x0 Syscall: sendto Suggestion: * add one of 'avahi-observe, cups-control, firewall-control, gsettings, libvirt, modem-manager, mpris, network, network-bind, network-control, network-manager, ofono, openvswitch, pulseaudio, screen-inhibit-control, shutdown, system-observe, time-control, timeserver-control, timezone-control, unity7, upower-observe' to 'plugs' On Thu, Feb 2, 2017 at 3:14 PM, Mark Shuttleworth <[email protected]> wrote: > > In general, strict confinement is better. In this case, if you are confident > that the logs which matter will be in /var/log, then yes it would be better > to have strict confinement with an interface that allows reading from that > location. > I had a better look into "lnav". As a tool, it has all sort of features. For example, Options: -I path An additional configuration directory. -i Install the given format files and exit. Pass 'extra' to install the default set of third-party formats. -u Update formats installed from git repositories. Both "-i extra" and "-u" are spawning "git", which means there is a dependency on git. Here is how it looks: $ lnav -u Updating formats in /home/user/snap/lnav/x2/.lnav/formats/* sh: 1: git: not found In terms of security, lnav is a tool for system administrators. Therefore, it is good if lnav could work confined. A specially crafted logfile might be able to execute code. All in all, I am all for making a confined "lnav" snap with reduced functionality (no git, no "home" interface to store settings). My big question is, is it possible to get sudo snap connect lnav:log-observe core:log-observe to autoexecute upon the installation of the snap? Simos
snapcraft.yaml
Description: application/yaml
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
