i/b/dm-crypt: seccomp faults
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
New
|
Undecided
|
Unassigned |
Bug Description
Using the dm-crypt connection I'm getting seccomp faults
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(169400584
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
It seems like the assertions are not applied to existing processes immediately after connecting the dm-crypt interface. Restarting the microceph.daemon after interface connection works around this issue.
ubuntu@mc-3:~$ sudo microceph cluster bootstrap
ubuntu@mc-3:~$ sudo snap connect microceph:dm-crypt
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
Error: Failed adding new disk: Failed to open: Failed to luksOpen: /dev/disk/
No key available with this passphrase.
NOTE: OSD Encryption requires a snapd >= 2.59.1
Verify your version of snapd by running "snap version"
ubuntu@mc-3:~$ sudo dmesg -T | tail
...
[Wed Sep 6 13:10:46 2023] audit: type=1326 audit(169400584
[Wed Sep 6 13:10:53 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
[Wed Sep 6 13:10:55 2023] audit: type=1326 audit(169400585
ubuntu@mc-3:~$ sudo snap restart microceph.daemon
Restarted.
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdc
ubuntu@mc-3:~$ sudo microceph disk add --encrypt /dev/vdd
ubuntu@mc-3:~$ sudo microceph status
MicroCeph deployment summary:
- mc-3 (192.168.121.175)
Services: mds, mgr, mon, osd
Disks: 2
Is there an expectation that snap authors restart services after interface connection?
Versions:
snap 2.60.2
snapd 2.60.2
series 16
ubuntu 22.04
kernel 5.15.0-82-generic
For reference, debug output with SNAP_CONFINE_
https:/
Steps to reproduce, using uvtools:
```
uvt-kvm create --cpu 4 --memory 8192 --disk 16 --host-passthrough --no-start "mc" release=jammy
virsh vol-create-as uvtool --format qcow2 "mc-virtio1.qcow" 34359738368
virsh attach-disk "mc" "/var/lib/
virsh start mc
uvt-kvm wait "mc"
uvt-kvm ssh "mc" -- -t '\
sudo snap install --channel latest/edge microceph
sudo microceph cluster bootstrap
sudo snap connect microceph:dm-crypt'
uvt-kvm ssh "mc" -- 'sudo microceph disk add --encrypt /dev/vdc'
```
description: | updated |
Hi, thanks for raising this,
Reading the dm-crypt interface, I see the devices allowed to access through this one is:
/dev/dm-[0-9]* rwk,
I think you could try also connecting your snap to the block_devices interface which allows access to
# Access to raw devices, not individual partitions ,[a-h]} [a-z] rwk, # SCSI hd{,[a- c]}[a-z] rwk, # I2O hard disk 0-9]{,[ 0-9],[0- 9][0-9] } rwk, # MMC (up to 1000 devices) 0-9]{,[ 0-9],[0- 9][0-9] } rwk, # loopback (up to 1000 devices)
/dev/hd[a-t] rwk, # IDE, MFM, RLL
/dev/sd{
/dev/sdi[a-v] rwk, # SCSI continued
/dev/i2o/
/dev/i2o/hdd[a-x] rwk, # I2O hard disk continued
/dev/mmcblk[
/dev/vd[a-z] rwk, # virtio
/dev/loop[
/dev/loop-control rw, # loopback control