snapd

Denial for file_lock on /run/netns while using network-control interface

Bug #2047798 reported by Berkay Tekin Öz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Committed
Undecided
Samuele Pedroni

Bug Description

The K8s team is implementing Cilium support under strict confinement. Cilium utilizes network namespaces and is faced with an apparmor denial even when using the network-control interface. Manually adding the "k" mask for "/run/netns" by editing the profile generated by snapd gets rid of the denial, and is used as a workaround currently.

= AppArmor =
Time: 2023-11-29T13:1
Log: apparmor="DENIED" operation="file_lock" class="file" profile="snap.k8s.containerd" name="/run/netns/" pid=20134 comm="ip" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
File: /run/netns/ (write)

Versions
snap 2.60.4+23.10.1
snapd 2.60.4+23.10.1
series 16
ubuntu 23.10
kernel 6.5.0-14-generic

Samuele Pedroni (pedronis)
Changed in snapd:
assignee: nobody → Samuele Pedroni (pedronis)
Revision history for this message
Samuele Pedroni (pedronis) wrote :

is it really trying to lock the entire dir? not just a file inside?

Revision history for this message
Berkay Tekin Öz (berkayoz) wrote (last edit ):

Yes, it seems so as this is the only denial we get. We have not faced any other denials for sub-paths it's always on `/run/netns`. I kind of recall trying to add `k` flag to the network-control interface as `/run/netns/* rwk,` still ending up in a denial(re-checked).

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

It seems to the be the 'protocol' ip implements internally: https://github.com/iproute2/iproute2/blob/f22c49730c3691c25a1147081363eb35aa9d1048/ip/ipnetns.c#L819 which results in a failure in some specific scenarios (when trying to make /run/netns a shared mount point).

Revision history for this message
Samuele Pedroni (pedronis) wrote :

I opened https://github.com/snapcore/snapd/pull/13500 for this

Changed in snapd:
status: New → In Progress
Revision history for this message
Samuele Pedroni (pedronis) wrote :

landed this, the fix will be in the next edge snapd

Changed in snapd:
status: In Progress → Fix Committed
Revision history for this message
Berkay Tekin Öz (berkayoz) wrote :

Tested on edge with

snapd 2.61.1+git1780.g0c2bbfe 21161 latest/edge

and the issue seems to be resolved, we don't face the denial anymore. Thanks a lot!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.