apparmor issue when running snap with ip netns exec
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Triaged
|
Medium
|
Unassigned |
Bug Description
snap --version
snap 2.36~pre2+
snapd 2.36~pre2+
series 16
neon 18.04
kernel 4.15.0-36-generic
sudo ip netns exec novpn sudo -u michaelc skype
execv failed: Permission denied
[341356.450087] audit: type=1400 audit(154037756
# Author: Jamie Strandboge <email address hidden>
#include <tunables/global>
/snap/core/
# Include any additional files that snapd chose to generate.
# - for $HOME on NFS
# - for $HOME on encrypted media
#
# Those are discussed on https:/
# and https:/
#include "/var/lib/
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
/etc/
/etc/
/{,
# libc, you are funny
/{,
/{,
/{,
/{,
/{,
/{,
/{,
/{,
/{,
# normal libs in order
/{,
/{,
/{,
/{,
/{,
/{,
/{,
/{,
/{,
/snap/
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,
/dev/pts/[0-9]* rw,
/dev/tty rw,
# cgroup: devices
capability sys_admin,
capability dac_read_search,
capability dac_override,
/sys/
/sys/
/sys/
# cgroup: freezer
# Allow creating per-snap cgroup freezers and adding snap command (task)
# invocations to the freezer. This allows for reliably enumerating all
# running tasks for the snap. In addition, allow enumerating processes in
# the cgroup to determine if it is occupied.
/sys/
/sys/
/sys/
/sys/
# querying udev
/etc/
/sys/**/uevent r,
/usr/
/{,
/run/udev/** rw,
/{,usr/}bin/tr ixr,
/usr/
/usr/
/usr/
# priv dropping
capability setuid,
capability setgid,
# changing profile
@{PROC}
# Reading current profile
@{PROC}
# Reading available filesystems
@{PROC}
# To find where apparmor is mounted
@{PROC}
# To find if apparmor is enabled
/sys/
# Don't allow changing profile to unconfined or profiles that start with
# '/'. Use 'unsafe' to support snap-exec on armhf and its reliance on
# the environment for determining the capabilities of the architecture.
# 'unsafe' is ok here because the kernel will have already cleared the
# environment as part of launching snap-confine with
# CAP_SYS_ADMIN.
change_profile unsafe /** -> [^u/]**,
change_profile unsafe /** -> u[^n]**,
change_profile unsafe /** -> un[^c]**,
change_profile unsafe /** -> unc[^o]**,
change_profile unsafe /** -> unco[^n]**,
change_profile unsafe /** -> uncon[^f]**,
change_profile unsafe /** -> unconf[^i]**,
change_profile unsafe /** -> unconfi[^n]**,
change_profile unsafe /** -> unconfin[^e]**,
change_profile unsafe /** -> unconfine[^d]**,
change_profile unsafe /** -> unconfined?**,
# allow changing to a few not caught above
change_profile unsafe /** -> {u,un,unc,
# LP: #1446794 - when this bug is fixed, change the above to:
# deny change_profile unsafe /** -> {unconfined,/**},
# change_profile unsafe /** -> **,
# reading seccomp filters
/{tmp/
# ensuring correct permissions in sc_quirk_
/{tmp/
# LP: #1668659
mount options=(rw rbind) /snap/ -> /snap/,
mount options=(rw rshared) -> /snap/,
# boostrapping the mount namespace
mount options=(rw rshared) -> /,
mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.
mount options=(rw unbindable) -> /tmp/snap.
# the next line is for classic system
mount options=(rw rbind) /snap/*/*/ -> /tmp/snap.
# the next line is for core system
mount options=(rw rbind) / -> /tmp/snap.
# all of the constructed rootfs is a rslave
mount options=(rw rslave) -> /tmp/snap.
# bidirectional mounts (for both classic and core)
# NOTE: this doesn't capture the MERGED_USR configuration option so that
# when a distro with merged /usr and / that uses apparmor shows up it
# should be handled here.
/{,run/}media/ w,
mount options=(rw rbind) /{,run/}media/ -> /tmp/snap.
/run/netns/ w,
mount options=(rw rbind) /run/netns/ -> /tmp/snap.
# unidirectional mounts (only for classic system)
mount options=(rw rbind) /dev/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /etc/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /home/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /root/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /proc/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /sys/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /tmp/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /var/snap/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /var/tmp/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /run/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /var/lib/
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) {,/usr}
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /var/log/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /usr/src/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
mount options=(rw rbind) /mnt/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
# allow making host snap-exec available inside base snaps
mount options=(rw bind) /usr/lib/snapd/ -> /tmp/snap.
mount options=(rw slave) -> /tmp/snap.
# allow making re-execed host snap-exec available inside base snaps
mount options=(ro bind) /snap/core/
# allow making snapd snap tools available inside base snaps
mount options=(ro bind) /snap/snapd/
mount options=(rw bind) /usr/bin/snapctl -> /tmp/snap.
mount options=(rw slave) -> /tmp/snap.
# /etc/alternatives (classic)
mount options=(rw bind) /snap/*
mount options=(rw bind) /snap/*/*/etc/ssl/ -> /tmp/snap.
mount options=(rw bind) /snap/*
# /etc/alternatives (core)
mount options=(rw bind) /etc/alternatives/ -> /tmp/snap.
mount options=(rw slave) -> /tmp/snap.
mount options=(rw slave) -> /tmp/snap.
mount options=(rw slave) -> /tmp/snap.
# the /snap directory
mount options=(rw rbind) /snap/ -> /tmp/snap.
mount options=(rw rslave) -> /tmp/snap.
# pivot_root preparation and execution
mount options=(rw bind) /tmp/snap.
mount options=(rw private) -> /tmp/snap.
# pivot_root mediation in AppArmor is not complete. See LP: #1791711
pivot_root,
# cleanup
umount /var/lib/
umount /var/lib/
umount /var/lib/
umount /var/lib/
mount options=(rw rslave) -> /var/lib/
# set up user mount namespace
mount options=(rslave) -> /,
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/
# set up snap-specific private /tmp dir
capability chown,
/tmp/ w,
/tmp/snap.*/ w,
/tmp/
mount options=(rw private) -> /tmp/,
mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/,
mount fstype=devpts options=(rw) devpts -> /dev/pts/,
mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting
mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD
# Workaround for LP: #1584456 on older kernels that mistakenly think
# /dev/pts/ptmx needs a trailing '/'
mount options=(rw bind) /dev/pts/ptmx/ -> /dev/ptmx/,
mount options=(rw bind) /dev/pts/ptmx/ -> /dev/pts/ptmx/,
# for running snaps on classic
/snap/ r,
/snap/** r,
/snap/ r,
/snap/** r,
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# nvidia handling, glob needs /usr/** and the launcher must be
# able to bind mount the nvidia dir
/sys/
/sys/
/sys/
/sys/
/dev/
/dev/nvidiactl r,
/dev/nvidia-uvm r,
/usr/** r,
mount options=(rw bind) /usr/lib{
mount options=(rw bind) /usr/lib{
/tmp/
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.
mount options=(remount ro bind) -> /tmp/snap.
# Vulkan support
/tmp/
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.
mount options=(remount ro bind) -> /tmp/snap.
# GLVND EGL vendor
/tmp/
mount fstype=tmpfs options=(rw nodev noexec) none -> /tmp/snap.
mount options=(remount ro bind) -> /tmp/snap.
# create gl dirs as needed
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
# for chroot on steroids, we use pivot_root as a better chroot that makes
# apparmor rules behave the same on classic and outside of classic.
# for creating the user data directories: ~/snap, ~/snap/<name> and
# ~/snap/
/ r,
@{HOMEDIRS}/ r,
# These should both have 'owner' match but due to LP: #1466234, we can't
# yet
@{HOME}/ r,
@{HOME}
# for creating the user shared memory directories
/{dev,
# This should both have 'owner' match but due to LP: #1466234, we can't yet
/{dev,
# for creating the user XDG_RUNTIME_DIR: /run/user, /run/user/UID and
# /run/user/
/run/
# Workaround https:/
# stacked filesystems generally.
# encrypted ~/.Private and old-style encrypted $HOME
@{HOME}
@{HOME}
# new-style encrypted $HOME
@{HOMEDIRS}
@{HOMEDIRS}
# Allow snap-confine to move to the void
/var/
# Allow snap-confine to read snap contexts
/var/
# Allow snap-confine to unmount stale mount namespaces.
umount /run/snapd/
# Required to correctly unmount bound mount namespace.
# See LP: #1735459 for details.
umount /,
# Support for the quirk system
/var/ r,
/var/lib/ r,
/var/lib/** rw,
/tmp/ r,
/tmp/
mount options=(move) /var/lib/snapd/ -> /tmp/snapd.
mount fstype=tmpfs options=(rw nodev nosuid) none -> /var/lib/,
mount options=(ro rbind) /snap/{
umount /var/lib/snapd/,
mount options=(move) /tmp/snapd.
# On classic systems with a setuid root snap-confine when run by non-root
# user, the mimic_dir is created with the gid of the calling user (ie,
# not '0') so when setting the permissions (chmod) of the mimicked
# directory to that of the reference directory, a CAP_FSETID is triggered.
# snap-confine sets the directory up correctly, so simply silence the
# denial since we don't want to grant the capability as a whole to
# snap-confine.
deny capability fsetid,
# support for the LXD quirk
mount options=(rw rbind nodev nosuid noexec) /var/lib/
/var/lib/lxd/ w,
/var/
# support for locking
/run/
/run/
# support for the mount namespace sharing
capability sys_ptrace,
# allow snap-confine to read /proc/1/ns/mnt
ptrace read peer=unconfined,
# https:/
ptrace trace peer=unconfined,
mount options=(rw rbind) /run/snapd/ns/ -> /run/snapd/ns/,
mount options=(private) -> /run/snapd/ns/,
/ rw,
/run/ rw,
/run/snapd/ rw,
/run/snapd/ns/ rw,
/run/
/run/
ptrace (read, readby, tracedby) peer=/snap/
@{PROC}
capability sys_chroot,
capability sys_admin,
signal (send, receive) set=(abrt) peer=/snap/
signal (send) set=(int) peer=/snap/
signal (send, receive) set=(int, alrm, exists) peer=/snap/
signal (receive) set=(exists) peer=/snap/
# workaround for linux 4.13/upstream, see
# https:/
ptrace (trace, tracedby) peer=/snap/
# For aa_change_hat() to go into ^mount-
@{PROC}
^mount-
# We run privileged, so be fanatical about what we include and don't use
# any abstractions
# libc, you are funny
# normal libs in order
/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
capability sys_ptrace,
capability sys_admin,
# This allows us to read and bind mount the namespace file
/ r,
@{PROC}/ r,
@{PROC}/*/ r,
/run/ r,
/run/snapd/ r,
# NOTE: the source name is / even though we map /proc/123/ns/mnt
mount options=(rw bind) / -> /run/snapd/
# This is the SIGALRM that we send and receive if a timeout expires
signal (send, receive) set=(alrm) peer=/snap/
# Those two rules are exactly the same but we don't know if the parent process is still alive
# and hence has the appropriate label or is already dead and hence has no label.
signal (send) set=(exists) peer=/snap/
signal (send) set=(exists) peer=unconfined,
# This is so that we can abort
signal (send, receive) set=(abrt) peer=/snap/
# This is the signal we get if snap-confine dies (we subscribe to it with prctl)
signal (receive) set=(int) peer=/snap/
# This allows snap-confine to be killed from the outside.
signal (receive) peer=unconfined,
# This allows snap-confine to wait for us
ptrace (read, trace, tracedby) peer=/snap/
}
# Allow snap-confine to be killed
signal (receive) peer=unconfined,
# Allow switching to snap-update-ns with a per-snap profile.
change_profile -> snap-update-ns.*,
# Allow executing snap-update-ns when...
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the distribution package. This is also the location used when using
# the core/base snap on all-snap systems. The variants here represent
# various locations of libexecdir across distributions.
/usr/
# ...snap-confine is not, conceptually, re-executing and uses
# snap-update-ns from the distribution package but we are already inside
# the constructed mount namespace so we must traverse "hostfs". The
# variants here represent various locations of libexecdir across
# distributions.
/var/
# ..snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core snap. Note that the location of the core snap varies from
# distribution to distribution. The variants here represent different
# locations of snap mount directory across distributions.
/{,
# ...snap-confine is, conceptually, re-executing and uses snap-update-ns
# from the core snap but we are already inside the constructed mount
# namespace. Here the apparmor kernel module re-constructs the path to
# snap-update-ns using the "hostfs" mount entry rather than the more
# "natural" /snap mount entry but we have no control over that. This is
# reported as (LP: #1716339). The variants here represent different
# locations of snap mount directory across distributions.
/var/
}
Changed in snapd: | |
status: | New → Triaged |
assignee: | nobody → Zygmunt Krynicki (zyga) |
importance: | Undecided → Medium |
Changed in snapd: | |
assignee: | Zygmunt Krynicki (zyga) → nobody |