snapd

cannot create mount point for file /tmp/snap.rootfs_

Bug #2066124 reported by Scott E. MacKenzie

This bug report will be marked for expiration in 47 days if no further activity occurs. (find out why)

6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Incomplete
Undecided
Unassigned

Bug Description

# snap --version
snap 2.62+22.04
snapd 2.62+22.04
series 16
ubuntu 22.04
kernel 6.5.0-1020-aws

Attempting to start snap package:
~# ssh-audit version
cannot create mount point for file "/tmp/snap.rootfs_ttB1w4/README.md": Permission denied

Contents of /tmp/
# ls -l /tmp/
total 84
drwx------ 2 root root 4096 May 19 10:24 snap-private-tmp
drwx------ 2 root root 4096 May 19 10:30 snap.rootfs_1P4Kmn
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_DiD5AX
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_Jjr3EU
drwx------ 2 root root 4096 May 19 10:33 snap.rootfs_LEA0ic
drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_LqTJvt
drwx------ 2 root root 4096 May 19 10:40 snap.rootfs_Pfd36j
drwx------ 2 root root 4096 May 19 10:35 snap.rootfs_QGPUKe
drwx------ 2 root root 4096 May 19 10:44 snap.rootfs_QZaClr
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_QZjfkv
drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_Qdv2Cj
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_UyxaGE
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_WcgzpB
drwx------ 2 root root 4096 May 19 10:29 snap.rootfs_a6X4fm
drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_cZVQlD
drwx------ 2 root root 4096 May 19 10:32 snap.rootfs_o1qFYW
drwx------ 2 root root 4096 May 19 11:46 snap.rootfs_ttB1w4
drwx------ 2 root root 4096 May 19 11:23 snap.rootfs_xoAXG6

~# sudo aa-status |grep snapd
   /snap/core/16928/usr/lib/snapd/snap-confine
   /snap/core/16928/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/21184/usr/lib/snapd/snap-confine
   /snap/snapd/21184/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/21465/usr/lib/snapd/snap-confine
   /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

# dmesg | grep DENIED
Returns no data *empty*

# snap debug confinement
strict

Other snap packages seem to be working but fresh install does not work for ssh-audit
https://github.com/jtesta/ssh-audit

The server is hardened to CIS Level 2 standard.

Anyone come across this before?

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Hello.

It's surprising that there's nothing in dmesg, especially that there are routinely ignored denials that we have known about. Can you triple check that dmesg is really not showing any denials when running other snap applications?

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

I tried on GCP but cannot reproduce it:

```
google:ubuntu-22.04-64 .../mini/hello# snap version
snap 2.62+22.04
snapd 2.62+22.04
series 16
ubuntu 22.04
kernel 6.5.0-1020-gcp

google:ubuntu-22.04-64 .../mini/hello# ssh-audit localhost
# general
(gen) banner: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
(gen) software: OpenSSH 8.9p1
(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2020.79+
(gen) compression: enabled (<email address hidden>)
...
```

Which suggests something weird may be off in the system. Can you indicate which other snaps work? Please include the output of `snap list`.

Also, try running the ssh-audit with `SNAPD_DEBUG=1`, eg:

```
$ SNAPD_DEBUG=1 ssh-audit localhost
```

Given that the error was 'Permission denied', it could really be getting blocked by AppArmor. If auditd is enabled (I'm guessing it was as part of the hardening) it's likely that the logs will not show up in dmesg or journal. However, due to https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1117804 you'll need to run `grep DENIED /var/log/audit/audit.log`. Please do so and attach relevant entries.

Changed in snapd:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.