several snap-confine denials for capability net_admin and perfmon on 22.04

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks for the heads up @jdstrand - I am seeing this too - I also have one more - fsetid:

$ journalctl -b0 -t audit --grep DENIED.*snap-confine
Apr 06 08:48:06 graphene audit[3733]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=3733 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:06 graphene audit[3733]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=3733 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:07 graphene audit[4545]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4545 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:07 graphene audit[4545]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4545 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:07 graphene audit[4614]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4614 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:07 graphene audit[4614]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4614 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:07 graphene audit[4682]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4682 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:07 graphene audit[4682]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4682 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:08 graphene audit[4745]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4745 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:08 graphene audit[4745]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4745 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:26 graphene audit[8216]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8216 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:48:26 graphene audit[8216]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8216 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:48:27 graphene audit[8221]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8221 comm="snap-confine" capability=4 capname="fsetid"
Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=12 capname="net_admin"
Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=38 capname="perfmon"
Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=4 capname="fsetid"
Apr 06 08:51:05 graphene audit[14806]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=14806 comm="snap-confine" capability...

The fsetid is actually quite old (at least 3 years; there may have been a Trello card for it). At one point it came in and I did analysis and tweaked the order of the priv dropping in snap-confine to get rid of it. Then some stuff was added to snap-confine and it came back. I always had it as a to-do to work through it, but weighing the necessity of keeping the priv-dropping solid vs getting rid of the noisy denial always kept it on the back-burner.

Bottom line, the fsetid has to do with the delicate drop/raise/.../full drop dance we do and isn't new. I think you should keep that separate from these other two.

The new ones feel like it's a parent/child issue with the new kernel (ie where it depends on what is launching snap-confine/what snap-confine is launching), but maybe it is just as simple as the 5.15 kernel has new capabilities checks for things it didn't before.

When looking at this, remember that the kernel rate limits capability denials differently than say, file rules and that it can be difficult to trigger the denials reliably without taking additional steps. John can help you with these techniques. I recall wanting to pull my hair out when investigating the fsetid denial until I nailed down how to get the logged denial reliably :)

18 months later, I'm still seeing this (perfmon and net_admin). As a workaround, could snapd not use /var/lib/snapd/apparmor/snap-confine.internal?

This is also mentioned here:
https://forum.snapcraft.io/t/apparmor-denied-capability-net-admin-and-perfmon/33068

Hey jdstrand - I'm not sure what you mean about the use of the snap-confine.internal profile - can you expand on that at all?

Also I tried debugging this to determine where the denials are happening but am still not there yet. Will keep this bug updated if I manage to track them down to the point that I can convince myself if these are truly needed permissions or whether we should just silence them with an explicit deny.

Hey amurray, regarding /var/lib/snapd/apparmor/snap-confine.internal, I see that snapd uses this folder to write out snippets to help with certain kernels, etc. Eg, I see that right now I have /var/lib/snapd/apparmor/snap-confine.internal/cap-bpf which contains

capability bpf,

I was suggesting that if snapd detected a kernel with perfmon, it could choose to add a /var/lib/snapd/apparmor/snap-confine.internal/cap-perfmon file here that contained either `capability perfmon,` or `deny capability perfmon,` depending on if snap-confine needed it.

You'd need to decide on what to do about net_admin still of course.

If this every going to be resolved? I'm tired of seeing these apparmor DENIED messages in my syslog.

[Wed May 1 10:33:40 2024] audit: type=1400 audit(1714577621.012:30): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6126 comm="snap-confine" capability=12 capname="net_admin"
[Wed May 1 10:33:40 2024] audit: type=1400 audit(1714577621.012:31): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6126 comm="snap-confine" capability=38 capname="perfmon"
[Wed May 1 10:52:39 2024] audit: type=1400 audit(1714578760.293:32): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6527 comm="snap-confine" capability=12 capname="net_admin"
[Wed May 1 10:52:39 2024] audit: type=1400 audit(1714578760.293:33): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6527 comm="snap-confine" capability=38 capname="perfmon"

So while I don't think we are where snapd can get rid of the snap-confine.internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore.

It can just specify

  deny capability perfmon,

and it will work, for all kernels.

@neigin: yes the capability to resolve this exists. So now it is a matter of getting it functioning in snapd for these cases. This will get resolved I just can't say when it will land.