lyoncore / fwupd-snapcraft Goto Github PK

I think this is the best place to post this, after seeing this comment on the fwupd repository.

I am not sure if my approach here is correct (not sure if there is another way to use to the uefi-fw-tools from my snap).

Description

I have a snap that needs permission to the fwupd service to update the firmware on a device running Ubuntu Core 16. My snap is connected to the uefi-fw-tools:fwupd slot and ships the uefi-fw-tools snap in order to use the fwupdmgr command. When running of the following commands:

fwupdmgr get-devices
''       get-updates
''       verify

AppArmor is complaining I do not have the required permissions:

$ uefi-fw-tools.fwupdmgr get-updates
mkdir: cannot create directory '/var/snap/uefi-fw-tools/50/run/user/1000': Permission denied
Rejected send message, 7 matched rules; type="method_call", sender=":1.2206" (uid=1000 pid=952928 comm="/snap/uefi-fw-tools/50/bin/fwupdmgr get-updates " label="snap.uefi-fw-tools.fwupdmgr (enforce)") interface="org.freedesktop.fwupd" member="GetUpdates" error name="(unset)" requested_reply="0" destination=":1.64" (uid=0 pid=1550 comm="/snap/uefi-fw-tools/50/libexec/fwupd/fwupd " label="snap.uefi-fw-tools.fwupd (enforce)")

Steps to reproduce

1. Create a snap (say updater-snap) that uses the fwupd service through the fwupd plug with strict confinement.
2. Manually connect the fwupd plug to the uefi-fw-tools:fwupd slot
3. Run the snap with

snap run --shell updater-snap.cli

4. Try any of the above commands e.g. fwupdmgr get-devices
5. AppArmor prevents the command from running

Expected behaviour

Commands run successfully

Info

Additional info:

• Running the updater-snap as root and following the above steps does allow for the command to run. However, as this is a snap that is running on a remote device this is not an option.

I hope I included all the info :)