snapd

Can't run /usr/bin/systemd-detect-virt from inside snap

Bug #1831473 reported by Alberto Donato on 2019-06-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Fix Released	Low	Jamie Strandboge	snapd 2.43

Bug Description

trying to run systemd-detect-virt from a strict-confined snap returns a permission error:

$ systemd-detect-virt
bash: /usr/bin/systemd-detect-virt: Permission denied

In dmesg, I see the following denials:

[55439.050729] audit: type=1400 audit(1559576047.034:131113): apparmor="DENIED" operation="exec" namespace="root//lxd-maas_<var-snap-lxd-common-lxd>" profile="snap.maas.maas" name="/usr/bin/systemd-detect-virt" pid=17029 comm="bash" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000000
[55439.050765] audit: type=1400 audit(1559576047.034:131114): apparmor="DENIED" operation="open" namespace="root//lxd-maas_<var-snap-lxd-common-lxd>" profile="snap.maas.maas" name="/usr/bin/systemd-detect-virt" pid=17029 comm="bash" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000000

See original description

Tags:

Alberto Donato (ack) on 2019-06-04

description:

updated

Jamie Strandboge (jdstrand) on 2019-06-25

Changed in snapd:
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-06-25:

FYI, https://github.com/snapcore/snapd/pull/7019

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-07-08:

This is merged and will be in snapd 2.40.

Changed in snapd:
status:	In Progress → Fix Committed

Revision history for this message

Alberto Donato (ack) wrote on 2019-07-22:

I'm using a daemon-user-enabled build of snapd based on 2.40:

ubuntu@maas:~$ snap version
snap 2.40+git227.g5ce5ff1f0
snapd 2.40+git227.g5ce5ff1f0
series 16
ubuntu 18.04
kernel 4.15.0-54-generic

When running in a VM, systemd-detect-virt fails to run:

root@maas:/home/ubuntu# /usr/bin/systemd-detect-virt
Failed to check for virtualization: Permission denied

the denial is the following:

Jul 22 12:23:51 maas audit[11751]: AVC apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/proc/1/sched" pid=11751 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 22 12:23:51 maas kernel: audit: type=1400 audit(1563798231.525:895): apparmor="DENIED" operation="open" profile="snap.maas.supervisor" name="/proc/1/sched" pid=11751 comm="systemd-detect-" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

From within a snap run in the same profile I see:

root@maas:/home/ubuntu# ls -la /proc/1/sched
-rw-r--r-- 1 root root 0 Jul 22 10:11 /proc/1/sched
root@maas:/home/ubuntu# cat /proc/1/sched
cat: /proc/1/sched: Permission denied

Changed in snapd:
status:	Fix Committed → New

Revision history for this message

Alberto Donato (ack) wrote on 2019-07-22:

For comparison, it does work fine in a container:

root@maas:/root# /usr/bin/systemd-detect-virt
lxc

Revision history for this message

Alberto Donato (ack) wrote on 2019-07-22:

The snap does have the hardware-observe interface connected.
I'm not sure if missing /proc/1/sched access is what's making s-d-v fail in the VM, but in a container I don't see any denial related to that, so it seems s-d-v is not trying to access it.

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-09-25:

This is caused by the sandbox that snapd uses to run applications. I think it could be solved with either introduction of a new interface or with the extension of one of the existing interfaces, perhaps system-observe, to supply enough permissions to make systemd-detect-virt operational.

Changed in snapd:
status:	New → Triaged
importance:	Undecided → Low

Jamie Strandboge (jdstrand) on 2019-11-22

Changed in snapd:
status:	Triaged → In Progress

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2019-11-26:

This was released in 2.40 based on my analysis.

Changed in snapd:
status:	In Progress → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-11-26:

Zygmunt, it was fixed for containers, but not VMs. Moving to In Progress and adding 2.42.3 milestone.

Changed in snapd:
status:	Fix Released → In Progress
milestone:	none → 2.42.3

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-11-26:

https://github.com/snapcore/snapd/pull/7779

Maciej Borzecki (maciek-borzecki) on 2020-01-09

Changed in snapd:
status:	In Progress → Fix Committed
milestone:	2.42.3 → 2.43

Michael Vogt (mvo) on 2020-01-29

Changed in snapd:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.