snapd

Noisy NetworkManager AppArmor denials

Bug #1980119 reported by Miguel Pires on 2022-06-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Confirmed	Low	Alfonso Sanchez-Beato

Bug Description

A user has reported an issue where their snap interacts with network-manager via the dbus API and, despite everything functioning correctly, the log is full of AppArmor denials like:

Jun 23 11:50:00 <redacted> audit[1060]: AVC apparmor="DENIED" operation="ptrace" profile="snap.network-manager.networkmanager" pid=1060 comm="NetworkManager" requested_mask="read" denied_mask="read" peer="<redacted>"

I redacted the hostname and the user's snap name. This issue is very similar to this report https://bugs.launchpad.net/snappy-hwe-snaps/+bug/1797194 for which this PR https://github.com/snapcore/snapd/pull/6975 was opened.

Miguel Pires (miguelpires1) on 2022-07-05

Changed in snapd:
assignee:	nobody → Alfonso Sanchez-Beato (alfonsosanchezbeato)
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote on 2023-02-07:

We currently have in the network-manager interface

deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###,

maybe it should be

deny ptrace (trace,read) peer=###PLUG_SECURITY_TAGS###,

I've created https://github.com/snapcore/snapd/pull/12546 to test this hypothesis.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.