classic snap files logs with apparmor ALLOWED messages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Confirmed
|
High
|
Michael Vogt |
Bug Description
From https:/
"When building a c++ app on a raspberry pi 3 in classic mode,
I noticed two things that hurt performance substantially.
1) the obvious: if you crank config.txt's gpu_mem up above the
default, life is bad :-) Don't do that on build machines.
2) the not so obvious: apparmor is keeping systemctl's journal process
at 100% on one core logging crud like
Jan 06 18:03:37 rbb-ubu1604pi3-1 audit[3249]: AVC apparmor="ALLOWED"
operation="open"
profile=
name="/
pid=3249 comm="cc1plus" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
Jan 06 18:03:37 rbb-ubu1604pi3-1 audit[3254]: AVC apparmor="ALLOWED"
operation="mknod"
profile=
name="/
comm="c++" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Is there an option for reducing apparmor verbosity on ALLOWED operations?
(speaking strictly as a foreigner in the land of apparmor and snappy)
Thanks!
"
What is happening is that the classic snap is currently using a chroot with devmode. devmode causes policy violations to be allowed but logged but because it is using a chroot instead of a pivot_root, all the file accesses don't match the rules from the default template. To silence the logging, the policy needs to be updated. There are several options on how to do this and it needs a little bit of design on which implementation is best.
WORKAROUND: you can add this to /var/lib/
mount fstype=devpts options=(rw) devpts -> /dev/pts/,
/bin/mountpoint ixr,
@{PROC}
/var/
capability fsetid,
capability dac_override,
/etc/
/usr/
/bin/systemctl Uxr,
then load the profile into the kernel with:
$ sudo apparmor_parser -r /var/lib/
Now you should be able to 'sudo classic' and not see any apparmor logging. Note that you may have to re-add the above rules to the profile (eg, if the snap is removed/
description: | updated |
Changed in snappy: | |
importance: | Undecided → High |
status: | New → Confirmed |
assignee: | nobody → Oliver Grawert (ogra) |
Changed in snappy: | |
assignee: | Oliver Grawert (ogra) → Michael Vogt (mvo) |
affects: | snappy → snapd |
I'm not sure of the long term goals of the classic snap but there are several options on how to fix this for the current situation:
1. add a 'classic' interface that adds rules like those in the workaround and have the classic snap 'plugs: [ classic ]'
2. special case the classic snap in snapd and add rules like those in the workaround unconditionally
3. use 'confinement: classic' for the classic snap
'3' seems like the cleanest way to do this but someone would have to confirm that using 'classic' confinement does what you want for this snap since the mount namespace setup that is used with strict and devmode isn't present with 'classic' confinement (but since 'chroot' is used I suspect that is probably ok).