Canonical System Image

Bug #1633367
Comment #0

Comment 0 for bug 1633367

Revision history for this message

You-Sheng Yang (vicamo) wrote on 2016-10-14:

[ 2526.693811] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:434): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=30640 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine"
[ 2526.693845] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:435): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=30640 comm="ubuntu-core-lau" requested_mask="readby" denied_mask="readby" peer="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
[ 3512.751438] (1)[8128:ubuntu-core-lau]type=1400 audit(1476431400.737:502): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=8128 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine"

So we need to modify /etc/apparmor.d/usr.lib.snapd.snap-confine as:

/usr/lib/snapd/snap-confine flags=(attach_disconnected) {
...
ptrace (read, readby, tracedby) ...

    ^mount-namespace-capture-helper flags=(attach_disconnected) {
    ...
    ptrace (read, trace, tracedby) ...