snapd

Bug #1644573
Comment #1

Comment 1 for bug 1644573

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-08:

I looked into this a little wondering if seccomp arg filtering would help. It does not as demonstrated by:
$ sudo strace -e trace=socket -f snapctl
strace: Process 10062 attached
[pid 10060] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
[pid 10060] socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 3
[pid 10060] socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 4
...
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
error: snapctl cannot run without args

The PF_INET and PF_INET6 indicate why it is triggering the network rules (I would have expected it to only use PF_LOCAL/PF_UNIX/AF_LOCAL/AF_UNIX since this is a unix socket. If this is blocking people while Zygmunt investigates this, plug the network interface for this hook (snapd could do this itself).