snappy-hwe-snaps

[network-manager] Apparmor DENIALs

Bug #1602383 reported by Tony Espy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snappy-hwe-snaps
Fix Released
Medium
Simon Fels

Bug Description

While testing the latest NM (1.2.2-11, r115) snap on a Dell IoT gateway ( see below for image details ), a review of NM's log messages in syslog show a apparmor denials being generated by the config hook:

Mar 17 23:47:12 localhost kernel: [ 84.821804] audit: type=1400 audit(1489794432.859:36): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2602 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Mar 17 23:47:12 localhost kernel: [ 84.823748] audit: type=1400 audit(1489794432.863:37): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2602 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Mar 17 23:47:12 localhost kernel: [ 84.823986] audit: type=1400 audit(1489794432.863:38): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2602 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Mar 17 23:47:12 localhost kernel: [ 84.844777] audit: type=1400 audit(1489794432.883:39): apparmor="DENIED" operation="open" profile="snap.network-manager.hook.configure" name="/run/snapd.socket" pid=2602 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Another set looks involve nmcli:

Mar 17 23:49:09 localhost kernel: [ 201.327213] audit: type=1400 audit(1489794549.968:321): apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=4905 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="snap.network-manager.nmcli"

[log message above repeated 9 more times]

Then a further three denials are see after:

Mar 17 22:56:30 HGPLB02 kernel: [ 37.345676] audit: type=1400 audit(1489791390.527:89): apparmor="DENIED" operation="capable" profile="snap.network-manager.networkmanager" pid=1501 comm="NetworkManager" capability=1 capname="dac_override"
Mar 17 22:56:35 HGPLB02 kernel: [ 42.417241] audit: type=1400 audit(1489791395.595:116): apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1501 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="snap.wifi-ap.management-service"
Mar 17 22:56:35 HGPLB02 kernel: [ 42.536214] audit: type=1400 audit(1489791395.711:119): apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1501 comm="NetworkManager" requested_mask="trace" denied_mask="trace" peer="snap.wifi-ap.management-service"

Here's my snap configuration:

admin@HGPLB02:~$ snap list
Name Version Rev Developer Notes
alsa-utils 1.1.2-5 68 canonical -
bluez 5.37-2 15 canonical -
caracalla 16.04-1.17 22 canonical -
caracalla-kernel 4.4.0 27 canonical -
core 16-2 1441 canonical -
locationd 3.0.0+16.10.20160616-0ubuntu1 67 canonical -
modem-manager 1.6.2-3 39 canonical -
network-manager 1.2.2-11 115 canonical -
snapweb 0.21.2 24 canonical -
tpm2 1.0-4 18 canonical -
udisks2 2.1.7-7 60 canonical -
uefi-fw-tools 1.2.1-0.7.2+git 3 canonical -
wifi-ap 13 93 canonical -

See original description
Tony Espy (awe)
summary: - [Snap] NetworkManager miscellaneous Apparmor errors
+ NetworkManager miscellaneous Apparmor errors
Tony Espy (awe)
summary: - NetworkManager miscellaneous Apparmor errors
+ [network-manager] miscellaneous Apparmor DENIALs
Tony Espy (awe)
description: updated
Tony Espy (awe)
description: updated
Tony Espy (awe)
summary: - [network-manager] miscellaneous Apparmor DENIALs
+ [network-manager] Apparmor DENIALs
description: updated
Tony Espy (awe)
description: updated
Revision history for this message
Simon Fels (morphis) wrote :

ptrace ones can be ignored. Others are because of https://bugs.launchpad.net/snappy/+bug/1644573 and https://bugs.launchpad.net/snappy/+bug/1648427 for the relevant upstream bugs.

However for a clean log we should see what causes the ptrace denial and get it fixed to have the logs free of this.

Changed in snappy-hwe-snaps:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Simon Fels (morphis) wrote :

Fix merged into snapd with https://github.com/snapcore/snapd/pull/3427

Upstream release 2.27 should have it which is supposed to be release on 7/27

Changed in snappy-hwe-snaps:
status: Triaged → Fix Committed
assignee: nobody → Simon Fels (morphis)
Revision history for this message
Tony Espy (awe) wrote :

Updating to FixReleased, as 2.27 was released last Summer.

Changed in snappy-hwe-snaps:
status: Fix Committed → Fix Released
Revision history for this message
Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote :

See https://bugs.launchpad.net/snappy-hwe-snaps/+bug/1797194/comments/3 for the explanation on what was exactly triggering the ptrace denials. See also pointer to the final solution for the problem.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.