snapd

auto-import from udev does not work on jammy

Bug #1964596 reported by Valentin David
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Committed
High
Valentin David

Bug Description

`66-snapd-autoimport.rules` in udev rules calls `/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/%k`.

This should try to mount `/dev/%k` to read file `auto-import.assert`.

However according to udev(7) for `RUN`:

> Note that running programs that access the network or mount/unmount filesystems is not allowed inside of udev rules, due to the default sandbox that is enforced on systemd-udevd.service.

Here is the error logs from UC22 when running `systemd-udevd` with `SYSTEMD_LOG_LEVEL=debug`
```
Mar 10 22:18:57 ubuntu systemd-udevd[2078]: dm-2: '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-2'(err) 'unshare: '
Mar 10 22:18:57 ubuntu systemd-udevd[2078]: dm-2: '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-2'(err) 'cannot change root filesystem propagation'
Mar 10 22:18:57 ubuntu systemd-udevd[2078]: dm-2: '/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/dm-2'(err) ': Operation not permitted'
```

Note that `unshare -m` will try re-mount / as recursive private in the namespace. This is likely where it fails. But even if we remove `unshare`, I suspect

Instead of using udev, we should listen to udisks through dbus to find added filesystems which are marked as automatic.

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

My bet is on SystemCallFilter which is set to `@system-service @module @raw-io bpf` which IIRC would deny mount among other things.

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

Possibly related to https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1971955 which AFAIU the root cause was identified as the SystemCallFilter blocking unshare() syscall.

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

Sorry this bug: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1966203

Changed in snapd:
assignee: nobody → Alberto Mardegan (mardy)
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Alberto Mardegan (mardy) wrote :

This bug has already been fixed by Valentin in Ubuntu Core with https://github.com/snapcore/core-base/pull/35

For the issue on desktop systems, we'll continue working on bug 1966203 (and the solution there will be just to remove the udev script).

Changed in snapd:
assignee: Alberto Mardegan (mardy) → Valentin David (valentin.david)
status: Confirmed → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.