netlink-audit interface should be blocked from performing connection on trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
High
|
Alberto Mardegan |
Bug Description
The netlink-audit interface includes the audit_read capability, which is not known to apparmor_parser from trusty. See this snap:
```yaml
name: test-snapd-
version: 1
apps:
test-
command: bin.sh
plugs:
- netlink-audit
```
upon installing and attempting to connect the netlink-audit plug, this fails:
ubuntu@
error: cannot perform the following tasks:
- Connect test-snapd-
apparmor_parser output:
AppArmor parser error for /var/lib/
)
however the interface connection is left inside the state though, so any future connection for this snap also fails. See:
ubuntu@
error: cannot perform the following tasks:
- Connect test-snapd-
apparmor_parser output:
AppArmor parser error for /var/lib/
)
ubuntu@
error: cannot perform the following tasks:
- Connect test-snapd-
apparmor_parser output:
AppArmor parser error for /var/lib/
)
The fix here is probably to do the same thing we did for other recent interfaces which require certain apparmor features available, and to query apparmor for these features in the BeforeConnectPlug phase and if they are not available fail the BeforeConnectPlug function instead of failing in the AppArmorConnect
Changed in snapd: | |
assignee: | nobody → Alberto Mardegan (mardy) |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in snapd: | |
status: | In Progress → Fix Committed |
Proposed fix: https:/ /github. com/snapcore/ snapd/pull/ 10938