strict snap run from classic snap can't write to filesystem

Bug #1835805 reported by Ian Johnson on 2019-07-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
High
Unassigned

Bug Description

Haven't yet made a minimal reproducer without the docker snap, but for the time being it is reproducible with the docker snap on disco:

1. install the docker snap
2. install a classic snap (i.e. snapcraft)
3. start a new shell in the classic snap
4. create a docker container with the docker snap and get the ID
5. Try exporting the rootfs of that docker container to a file

See:
$ snap install docker
$ snap install snapcraft --classic
$ snap run --shell snapcraft
$ echo $SNAP
/snap/snapcraft/3059
$ which docker
/snap/bin/docker
$ ID=$(docker create hello-world)
$ docker export $ID > rootfs.tgz
write /dev/stdout: permission denied

The following denials show up:

```
Jul 08 10:20:18 audit[40194]: AVC apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=40194 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:20:18 kernel: audit: type=1400 audit(1562599218.618:787): apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=40194 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:20:18 audit[40194]: AVC apparmor="DENIED" operation="file_inherit" profile="snap.docker.docker" name="/apparmor/.null" pid=40194 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Jul 08 10:20:18 kernel: audit: type=1400 audit(1562599218.622:788): apparmor="DENIED" operation="file_inherit" profile="snap.docker.docker" name="/apparmor/.null" pid=40194 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Jul 08 10:25:47 audit[41151]: AVC apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=41151 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:25:47 kernel: audit: type=1400 audit(1562599547.189:789): apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=41151 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
```

Doing the same steps outside of a classic snap shell works as expected:
$ which docker
/snap/bin/docker
$ echo $SNAP

$ ID=$(docker create hello-world)
$ docker export $ID > rootfs.tgz
$ file rootfs.tgz
rootfs.tgz: POSIX tar archive
$

Julian Andres Klode (juliank) wrote :

I'm seeing this when trying to use the go snap with the code snap:

[329584.830660] audit: type=1400 audit(1565382151.152:4651): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" pid=1032 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none

This happens when the go tool is run on save in visual studio code (and then nothing happens, /snap/bin/go just exits doing nothing), but it does not happen when running it inside snap --shell code.

Zygmunt Krynicki (zyga) wrote :

The bug report is very detailed and I recognise the denial. I would like to raise the risk of this bug interfering with the use of IDEs-as-snaps calling toolchains-as-snaps. I think it requires a discussion with Jamie about how we can address this.

Changed in snapd:
status: New → Triaged
importance: Undecided → High
Ian Johnson (anonymouse67) wrote :

IIUC, for the go snap with the code snap, that is the same problem as https://forum.snapcraft.io/t/snapd-2-32-breaks-live-server-installer/4597, which I don't think can be fixed anytime soon.

However this bug about classic -> strict could be from the same thing, still unclear to me.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers