Apparmor complains in strict confinement with base: core18
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Undecided
|
Zygmunt Krynicki |
Bug Description
Hi,
This came up while trying to move microk8s to strict confinement. The source of the snap is on this branch: https:/
The snapcraft and snap versions are as follows:
snapcraft, version 3.0+git13.g04f18f5
snap 2.35.5
snapd 2.35.5
series 16
ubuntu 18.04
kernel 4.15.0-34-generic
The snap builds with snapcraft however after installation aparmor logs the following when calling a "microk8s.kubect get all":
```
Nov 08 17:10:20 jackal-VGN-FZ11M audit[21938]: AVC apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile=
Nov 08 17:10:20 jackal-VGN-FZ11M kernel: audit: type=1400 audit(154168982
```
The `/var/lib/
```
none /var/lib/cni none x-snapd.
/snap/microk8s/
/snap/microk8s/
```
The `/var/lib/
```
#include <tunables/global>
profile snap-update-
# The next four rules mirror those above. We want to be able to read [126/155]
# and map snap-update-ns into memory but it may come from a variety of places.
/usr/
/var/
/{,var/
/var/
# Allow reading the dynamic linker cache.
/etc/ld.so.cache r,
# Allow reading, mapping and executing the dynamic linker.
/{,usr/
# Allow reading and mapping various parts of the standard library and
# dynamically loaded nss modules and what not.
/{,usr/
/{,usr/
# Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).
@{PROC}
# Allow reading file descriptor paths
@{PROC}
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/
# Allow creating/grabbing global and per-snap lock files.
/run/
/run/
# Allow reading stored mount namespaces,
/run/snapd/ns/ r,
/run/
# Allow reading per-snap desired mount profiles. Those are written by
# snapd and represent the desired layout and content connections.
/var/
/var/
# Allow reading and writing actual per-snap mount profiles. Note that
# the wildcard in the rule to allow an atomic write + rename strategy.
# Those files are written by snap-update-ns and represent the actual
# mount profile at a given moment.
/run/
# NOTE: at this stage the /snap directory is stable as we have called
# pivot_root already.
# Needed to perform mount/unmounts.
capability sys_admin,
# Needed for mimic construction.
capability chown,
# Needed for dropping to calling user when processing per-user mounts
capability setuid,
capability setgid,
# Allow snap-update-ns to override file ownership and permission checks.
# This is required because writable mimics now preserve the permissions
# of the original and hence we may be asked to create a directory when the
# parent is a tmpfs without DAC write access.
capability dac_override,
# Allow freezing and thawing the per-snap cgroup freezers
/sys/
# Allow the content interface to bind fonts from the host filesystem
mount options=(ro bind) /var/lib/
umount /snap/microk8s/
# set up user mount namespace
mount options=(rslave) -> /,
# Allow traversing from the root directory and several well-known places.
# Specific directory permissions are added by snippets below.
/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/snap/ r,
# Allow reading timezone data.
/usr/
# Don't allow anyone to touch /snap/bin
audit deny mount /snap/bin/** -> /**,
audit deny mount /** -> /snap/bin/**,
# Don't allow bind mounts to /media which has special
# sharing and propagates mount events outside of the snap namespace.
audit deny mount -> /media,
# Layout /var/lib/cni: symlink $SNAP_COMMON/
/var/lib/cni rw,
# Writable mimic /var/lib
mount options=(rbind, rw) /var/lib/ -> /tmp/.snap/
mount fstype=tmpfs options=(rw) tmpfs -> /var/lib/,
mount options=(rbind, rw) /tmp/.snap/
mount options=(bind, rw) /tmp/.snap/
umount /tmp/.snap/
umount /var/lib{,/**},
/var/lib/** rw,
/var/lib/ rw,
/tmp/
/tmp/
/tmp/.snap/var/ rw,
/tmp/.snap/ rw,
# Layout /var/log/
mount options=(rbind, rw) /snap/microk8s/
umount /var/log/
# Writable mimic /var/log
mount options=(rbind, rw) /var/log/ -> /tmp/.snap/
mount fstype=tmpfs options=(rw) tmpfs -> /var/log/,
mount options=(rbind, rw) /tmp/.snap/
mount options=(bind, rw) /tmp/.snap/
umount /tmp/.snap/
umount /var/log{,/**},
/var/log/** rw,
/var/log/ rw,
/tmp/
/tmp/
/tmp/.snap/var/ rw,
/tmp/.snap/ rw,
# Writable mimic /snap/microk8s/
mount options=(rbind, rw) /snap/microk8s/
mount fstype=tmpfs options=(rw) tmpfs -> /snap/microk8s/
mount options=(rbind, rw) /tmp/.snap/
mount options=(bind, rw) /tmp/.snap/
umount /tmp/.snap/
umount /snap/microk8s/
/snap/
/snap/
/snap/
/snap/
/snap/microk8s/ rw,
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/.snap/snap/ rw,
/tmp/.snap/ rw,
# Layout /var/log/pods: bind $SNAP/var/log/pods
mount options=(rbind, rw) /snap/microk8s/
umount /var/log/pods/,
# Writable mimic /var/log
mount options=(rbind, rw) /var/log/ -> /tmp/.snap/
mount fstype=tmpfs options=(rw) tmpfs -> /var/log/,
mount options=(rbind, rw) /tmp/.snap/
mount options=(bind, rw) /tmp/.snap/
umount /tmp/.snap/
umount /var/log{,/**},
/var/log/** rw,
/var/log/ rw,
/tmp/
/tmp/
/tmp/.snap/var/ rw,
/tmp/.snap/ rw,
# Writable mimic /snap/microk8s/
mount options=(rbind, rw) /snap/microk8s/
mount fstype=tmpfs options=(rw) tmpfs -> /snap/microk8s/
mount options=(rbind, rw) /tmp/.snap/
mount options=(bind, rw) /tmp/.snap/
umount /tmp/.snap/
umount /snap/microk8s/
/snap/
/snap/
/snap/
/snap/
/snap/microk8s/ rw,
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/
/tmp/.snap/snap/ rw,
/tmp/.snap/ rw,
}
```
Thank you for you help,
Konstantinos
description: | updated |
Changed in snapd: | |
assignee: | nobody → Zygmunt Krynicki (zyga) |
Changed in snapd: | |
milestone: | none → 2.36.2 |
status: | Fix Committed → Fix Released |
Hello.
Can you please refresh core to the candidate channel to see if the 2.36.1 release fixes it?
You can do that with:
"snap refresh core --candidate"
Please report back