snapd

The /bin/sync command is not allowed by default

Bug #1749374 reported by Soren Friis on 2018-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Fix Released	Undecided	Unassigned

Bug Description

I have a C++ program where I do a call to "system("sync");". This results in a bunch of messages from apparmor (see below).

After a short discussion with a Canonical developer, I was requested to open this bug report so that the command sync syscall would be allowed in a similar way as /usr/bin/env and /bin/env in the interfaces/apparmor/template.go are already allowed.

See also: https://forum.snapcraft.io/t/bin-sync-not-allowed/3988

As a workaround, I will try to do a call to the fdatasync() syscall instead but it would be nice to get the command allowed also.

Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/etc/ld.so.cache" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="file_mprotect" profile="snap.xyz-daemon//null-/bin/sync" name="/bin/sync" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="file_mprotect" profile="snap.xyz-daemon//null-/bin/sync" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MEASUREMENT" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_TELEPHONE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_ADDRESS" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_NAME" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_PAPER" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/SYS_LC_MESSAGES" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_MONETARY" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_COLLATE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_TIME" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_NUMERIC" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 05 23:49:58 localhost.localdomain audit[24764]: AVC apparmor="ALLOWED" operation="open" profile="snap.xyz-daemon//null-/bin/sync" name="/usr/lib/locale/C.UTF-8/LC_CTYPE" pid=24764 comm="sync" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-10-01:

The /bin/sync or /usr/bin/sync command is allowed now. As such I'm marking this as fix released.

affects:	snappy → snapd
Changed in snapd:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.