snapd

permission denied trying to read process' smaps

Bug #1686369 reported by Federico Gimenez on 2017-04-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	Low	Unassigned

Bug Description

I'm testing recent changes in snapd's interfaces, in order to check this rule [1] I'm using a snap with a bin/smaps executable file with this content:

#!/bin/sh
cat "/proc/$$/task/$$/smaps"

The snap defines a command using that file. When I try to execute the command I get:

cat: /proc/3207/task/3207/smaps: Permission denied

There are no denials on /var/log/syslog, the last entries are related to the test snap installation.

Thanks,

[1] https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/template.go#L277

Revision history for this message

Michael Vogt (mvo) wrote on 2018-01-03:

I can confirm this behaviour. If I do:
"""
$ sudo snap install test-snapd-tools
$ sudo snap run --shell test-snapd-tools.echo
# less /proc/$$/smaps
/proc/17352/smaps: Permission denied
# exit
$ dmesg | tail -n
[ 8857.462687] audit: type=1400 audit(1514978876.528:426): apparmor="DENIED" operation="ptrace" profile="snap.test-snapd-tools.echo" pid=17410 comm="less" requested_mask="trace" denied_mask="trace" peer="snap.test-snapd-tools.echo"
"""

What is interessting is that the denial is for "trace" not the path itself.

Changed in snapd:
importance:	Undecided → Low
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.