# without docker-support
$ snappy-debug.security scanlog kubelet
= AppArmor =
Time: Feb  9 18:04:55
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/kernel/mm/hugepages/" pid=28351 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/kernel/mm/hugepages/ (read)
Suggestion:
* adjust program to not access '/sys/kernel/mm/hugepages/'

= AppArmor =
Time: Feb  9 18:04:55
Log: apparmor="DENIED" operation="connect" profile="snap.kubelet.kubelet" name="/run/dbus/system_bus_socket" pid=28364 comm="kubelet" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/dbus/system_bus_socket (write)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*

= AppArmor =
Time: Feb  9 18:04:55
Log: apparmor="DENIED" operation="connect" profile="snap.kubelet.kubelet" name="/run/dbus/system_bus_socket" pid=28364 comm="kubelet" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/dbus/system_bus_socket (write)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*

= AppArmor =
Time: Feb  9 18:04:55
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/proc/28351/cgroup" pid=28364 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/28351/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'


# with docker-support
$ snappy-debug.security scanlog kubelet
= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/block/" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/block/ (read)
Suggestion:
* adjust program to not access '/sys/block/'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/net/cni0/address" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/net/cni0/address (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/net/cni0/address'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_uuid" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_uuid (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_uuid'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_name" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_name (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_name'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_version" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_version (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_version'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/sys_vendor (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/sys_vendor'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_name" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_name (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_name'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_name" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_name (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_name'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/devices/virtual/dmi/id/product_name" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/devices/virtual/dmi/id/product_name (read)
Suggestion:
* adjust program to not access '/sys/devices/virtual/dmi/id/product_name'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/var/log/containers/" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/containers/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/run/docker.pid" pid=30026 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/docker.pid (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="ptrace" profile="snap.kubelet.kubelet" pid=30026 comm="kubelet" requested_mask="trace" denied_mask="trace" peer="unconfined"

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="ptrace" profile="snap.kubelet.kubelet" pid=30026 comm="kubelet" requested_mask="trace" denied_mask="trace" peer="unconfined"

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="ptrace" profile="snap.kubelet.kubelet" pid=30026 comm="kubelet" requested_mask="trace" denied_mask="trace" peer="unconfined"

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="exec" profile="snap.kubelet.kubelet" name="/bin/journalctl" pid=30043 comm="kubelet" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /bin/journalctl (exec)
Suggestions:
* adjust snap to ship 'journalctl'
* adjust program to use relative paths if the snap already ships 'journalctl'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.shares'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/memory/memory.limit_in_bytes" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/memory/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/memory.limit_in_bytes'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/memory/memory.soft_limit_in_bytes" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/memory/memory.soft_limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/memory.soft_limit_in_bytes'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.shares'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/memory/memory.limit_in_bytes" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/memory/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/memory.limit_in_bytes'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/memory/memory.soft_limit_in_bytes" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/memory/memory.soft_limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/memory.soft_limit_in_bytes'

= AppArmor =
Time: Feb  9 18:07:21
Log: apparmor="DENIED" operation="open" profile="snap.kubelet.kubelet" name="/sys/fs/cgroup/cpu,cpuacct/" pid=30027 comm="kubelet" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/ (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/'