snapd

with overlayfs on /tmp: cannot open base directory /tmp/snap.hello-world: Permission denied

Bug #1875232 reported by Marcel Partap
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Incomplete
Undecided
Unassigned
snapd
Triaged
Undecided
Zygmunt Krynicki
Debian
New
Undecided
Unassigned

Bug Description

`snap run hello-world` (and other snaps) does not work on our debian 10 live distro where `/tmp` is an overlayfs mount with upperdir on another tmps (mounted with noatime,defaults, i.e. not noexec or similar). The failure is "cannot open base directory /tmp/snap.hello-world: Permission denied" which also occurs after having reinstalled hello-world in devmode (i.e. no confinement). The syslog shows a message:

audit: type=1400 audit(1587924251.338:388): apparmor="DENIED" operation="open" profile="/snap/core/9066/usr/lib/snapd/snap-confine" name="/rw/snap.hello-world/" pid=42726 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Without the overlay on /tmp everything does work normally.

See original description
Marcel Partap (empee584)
description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

It is not possible to confine and mitigate overlayfs at the moment.

What are you trying to do? Why is your /tmp an overlayfs, instead of a tmpfs? It should be a tmpfs mount, and should fresh and clean on each boot.

Changed in snappy:
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, these days AppArmor and overlayfs can work together, barring a couple of bugs. snapd will try to detect certain overlayfs scenarios with live CDs and add policy:

* https://github.com/snapcore/snapd/blob/master/osutil/overlay_linux.go#L44
* https://github.com/snapcore/snapd/blob/master/interfaces/apparmor/backend.go#L124

It sounds like someone from the snapd team (or someone willing to submit a PR to snapd) needs to look at the Debian live-cd environment and adjust overlay_linux.go accordingly.

Revision history for this message
Marcel Partap (empee584) wrote :

Just to note that this is probably not a phenomenon that will appear on debian live builds in general as we use our own tmpfs overlay systemd mount/service for that..
Yeah it seems strange, and from the top of my head I wouldn't have been able to tell why I put it in there back two years ago. But the log explains that while trying to make only parts of /var persistent, live-config broke if /tmp not also on an overlayfs. I'll have to test the specifics again on that but that might take me a couple of weeks (medium priority) ..
Thank you for the pointers! I'll take a closer look at that code.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I had a quick peek at the Debian 10 + GNOME live ISO:

I don't have copy-paste but

rw,lowerdir=/run/live/rootfs/filesystem.squashfs,upperdir=/run/live/overlay/rw,....

I will see if I can add the right incantations to snapd.

Maciej Borzecki (maciek-borzecki)
Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
Claudio Matsuoka (cmatsuoka)
Changed in snapd:
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.