/run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up

Bug #1881590 reported by Dmitrii Shcherbakov on 2020-06-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Medium
Zygmunt Krynicki

Bug Description

snapd revision: 05617fa2c59bf3dff9d25387fa671b7d01082b0a

I am trying to apply strict confinement to an application that uses lock files under /var/lock but the profile does not include a per-snap directory under /var/lock:

grep /run/snap /var/lib/snapd/apparmor/profiles/snap.microstack.libvirtd
  /run/snapd-snap.socket rw,
  /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
  /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,

mount | grep /run/lock
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)

Bind-mounting via layouts is not an option for "/run/lock" since it is blocked by the respective code that makes sure that layouts do not include the "/run" prefix.
https://github.com/snapcore/snapd/blob/05617fa2c59bf3dff9d25387fa671b7d01082b0a/snap/validate.go#L720-L723

Use-case:

Libvirt uses lock files in order to work with VM consoles:

virsh console instance-00000004
Connected to domain instance-00000004
Escape character is ^]
error: Couldn't create lock file for device '/dev/pts/0' in path '/var/lock/LCK.._pts_0': Permission denied

https://github.com/libvirt/libvirt/blob/e8aa9f0dfcae0ced905e08dd3b1a9047c808cca7/src/conf/virchrdev.c#L91
https://github.com/libvirt/libvirt/blob/e9d51a221c1871da246ae8dbc5b5f71191f48be2/m4/virt-chrdev-lock-files.m4#L32-L33 (the prefix for lock files defaults to /var/lock)
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s09.html (FHS reference for /var/lock)

summary: - /run/lock/snap.@{SNAP_INSTANCE_NAME}/ is not set up
+ /run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up
Zygmunt Krynicki (zyga) wrote :

I had a look at the apparmor template and confirmed that no such rules are present. As long as the snap prefix is included I don't see a reason why we would not grant this access.

Changed in snapd:
status: New → Confirmed
importance: Undecided → Medium
Zygmunt Krynicki (zyga) wrote :

I've sent a pull request for this https://github.com/snapcore/snapd/pull/8909

Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
status: Confirmed → In Progress
Zygmunt Krynicki (zyga) on 2020-07-02
Changed in snapd:
milestone: none → 2.46
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers