AppArmorPermanentSlot policy not added on Ubuntu Classic

Bug #1804869 reported by Alan Griffiths
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
snapd
Medium
Unassigned

Bug Description

I'm working on the Mir-Kiosk snap. It has Mir running as a "daemon: simple". Mir wants an XDG_RUNTIME_DIR directory for its sockets.

Snapd does set the $XDG_RUNTIME_DIR environment variable for it (/run/user/0/snap.mir-kiosk), but I'm not able to create that directory as /run/user/0 has not been created by snapd.

We had a workaround for lp:1738197, vis:

     [ ! -d "$XDG_RUNTIME_DIR" ] && mkdir $XDG_RUNTIME_DIR -m 700

And that ought to work regardless of whether lp:1738197 is fixed.

Something seems to have changed since around September (when the above was working) as this no longer works on Ubuntu Classic (18.04LTS), instead we see:

2018-11-23T17:37:07Z mir-kiosk.mir-kiosk[25245]: mkdir: cannot create directory '/run/user/0': Permission denied

Checking manually, the directory does not exist. And, if created manually, is seen but cannot be used.

description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I apologize for only just looking at this now.

The wayland interface has:

# Allow write access to create /run/user/* to create XDG_RUNTIME_DIR (until lp:1738197 is fixed)
/run/user/[0-9]*/ w,

This was committed to the wayland interface a long time ago (December 2017). I took a like at this and discovered that the above rule is not in place after installing mir-kiosk on xenial:

$ ls -l /run/user
total 0
drwx------ 7 lightdm lightdm 140 Feb 19 15:07 108
$ sudo snap install core
$ sudo snap install mir-kiosk
$ snap interfaces mir-kiosk
Slot Plug
:opengl mir-kiosk
mir-kiosk:mir -
mir-kiosk:wayland -

$ grep '/run/user/\[0-9\]\*/ w,' /var/lib/snapd/apparmor/profiles/snap.mir-kiosk.mir-kiosk
$

The policy in waylandPermanentSlotAppArmor policy was not applied. Looking in interfaces/builtin/wayland.go, this is clearly because of:

func (iface *waylandInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
        if !release.OnClassic {
                spec.AddSnippet(waylandPermanentSlotAppArmor)
        }
        return nil
}

What needs to happen is the wayland interface needs to be converted to not do this. I can't see how this would've ever worked in the past unless something created the directory ahead of time (a previous devmode snap maybe)? Looking in the logs after a stop and start I see the denial:

Feb 19 15:38:25 sec-xenial-amd64 audit[5754]: AVC apparmor="DENIED" operation="mkdir" profile="snap.mir-kiosk.mir-kiosk" name="/run/user/0/" pid=5754 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Feb 19 15:38:25 sec-xenial-amd64 mir-kiosk.mir-kiosk[5647]: mkdir: cannot create directory '/run/user/0': Permission denied

When I create the directory after a stop, I see this:
Feb 19 15:40:19 sec-xenial-amd64 audit[5794]: AVC apparmor="DENIED" operation="mknod" profile="snap.mir-kiosk.mir-kiosk" name="/run/user/0/wayland-0.lock" pid=5794 comm="miral-kiosk" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

This, again, is because the AppArmorPermanentSlot policy is not added to the profile (incidentally, there is a rule for /etc/drirc in the ConnectedPlug, but the PermanentSlot seems to need it too).

The path forward is a PR that removes the 'if !release.OnClassic {' conditionals, verify everything works and add any new policy (perhaps conditionally on if the release is classic). There is analogous precedent for this in the network-manager interface.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I should mention that I after stopping mir-kiosk, rmdir /run/user/0, adding/loading the AppArmorPermanentSlot to the profile and starting mir-kiosk, it was able to start and create the socket at /run/user/0/wayland-0.

Changed in snapd:
status: New → Triaged
importance: Undecided → Medium
summary: - Daemons do not have an /run/user/* dir created on Ubuntu Classic
+ AppArmorPermanentSlot policy not added on Ubuntu Classic
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I previously tested this on Ubuntu 16.04. I did again just now on 18.04 and after adding the AppArmorPermanentSlot to the profile and starting mir-kiosk, it was also able to start and create the socket at /run/user/0/wayland-0. I did see this non-fatal deny:

Feb 19 16:07:18 sec-bionic-amd64 kernel: [ 4233.682515] audit: type=1400 audit(1550614038.924:127): apparmor="DENIED" operation="open" profile="snap.mir-kiosk.mir-kiosk" name="/run/user/0/" pid=2962 comm="mkdir" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

(seems newer mkdir needs 'r'ead now).

Revision history for this message
Alan Griffiths (alan-griffiths) wrote :

Is the denial after adding AppArmorPermanentSlot on 18.04 something we need to address?

My reading of your comment is that mkdir goes on to create the directory successfully which is the necessary behaviour.

Revision history for this message
Gerry Boland (gerboland) wrote :
Changed in snapd:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers