snapctl from configure hooks causes a confusing noisy denial on /run/snapd.socket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
There are quite a few bugs regarding the configure hook and apparmor denials:
- bug #1644573 - snapctl causes hooks to attempt to open ip/ipv6 tcp connection (Go issue)
- bug #1674484 - snap install core failure: permission denied (apparmor) (/bin/sync was the culprit)
- bug #1674193 - core snap's configuration hangs on debian | openSUSE | mainline kernel (seccomp issue)
In all of these we see these denials:
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232237] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232471] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232579] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.237185] audit: type=1400 audit(149036679
Since the inet and inet6 denials are bug #1644573, this bug is concerned with:
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.237185] audit: type=1400 audit(149036679
As mentioned in https:/
1. adjust snapctl to use /run/snapd-
2. add the apparmor rule 'deny /run/snapd.socket rw,' to *all* configure hook policy to silence the apparmor log message
'1' is preferred because while '2' is easy to implement, due to the way AppArmor deny rules are applied, they take precedence over allow rules. This means that a configure hook would never be able to 'plugs: snapd-control' because while snapd-control would allow it, the explicit deny rule in '2' would override it. Not to mention, explicit deny rules make debugging more difficult for cases when something is accidentally accessing the denied path (you wouldn't see anything in the logs).
Changed in snapd: | |
status: | Fix Committed → Fix Released |
This is now fixed with https:/ /github. com/snapcore/ snapd/pull/ 3098 being merged and part of 2.23.6.