Denial for file_lock on /run/netns while using network-control interface
Bug #2047798 reported by
Berkay Tekin Öz
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
Undecided
|
Samuele Pedroni |
Bug Description
The K8s team is implementing Cilium support under strict confinement. Cilium utilizes network namespaces and is faced with an apparmor denial even when using the network-control interface. Manually adding the "k" mask for "/run/netns" by editing the profile generated by snapd gets rid of the denial, and is used as a workaround currently.
= AppArmor =
Time: 2023-11-29T13:1
Log: apparmor="DENIED" operation=
File: /run/netns/ (write)
Versions
snap 2.60.4+23.10.1
snapd 2.60.4+23.10.1
series 16
ubuntu 23.10
kernel 6.5.0-14-generic
Changed in snapd: | |
assignee: | nobody → Samuele Pedroni (pedronis) |
To post a comment you must log in.
is it really trying to lock the entire dir? not just a file inside?