snapd

snap's device cgroup is not discarded upon uninstall

Bug #1803210 reported by Ian Johnson
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
snapd
Confirmed
Medium
Unassigned

Bug Description

When developing snaps that plug an interface that generates udev code and thus triggers enforcement of the device cgroup for the snap, removing the snap doesn't remove the device cgroup for the snap, and thus even if the snap is rebuilt and reinstalled with interfaces that don't trigger the device cgroup, the device cgroup is still being enforeced.

I think snap-discard-ns (or something else) should remove the device cgroup when the snap is uninstalled.

Paweł Stołowski (stolowski)
Changed in snapd:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Ian Johnson (anonymouse67) wrote :

I think that all that needs to happen is after all processes from the device cgroup have died/been killed is just to remove the /sys/fs/cgroup/devices/$SNAP_NAME.$SNAP_APP/ directory to remove the cgroup.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is related to apparmor cleanup. Once we implement cgroup vacancy notification we can address this. For now it is just acknowledged.

Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This will happen naturally as a consequence of the agent work I'm doing now.

Revision history for this message
Ian Johnson (anonymouse67) wrote :

Zygmunt, did you ever get a chance to work on this?

Changed in snapd:
assignee: Zygmunt Krynicki (zyga) → nobody
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Long story short, the approach was discarded.

The approach used a cgroup release agent that would be notified of cgroup vacancy and would remove it from the system with a single `rmdir` system call. We ultimately failed to get it to work across all the combinations of supported systems.

Having looked at the bug description I must say we cannot use snap-discard-ns to do this, because it would affect existing processes. Similarly to how we cannot remove apparmor profiles because that would remove confinement from applications that still keep running.

Revision history for this message
Ian Johnson (anonymouse67) wrote :

Thanks for the additional context

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.