snapd

  1. Bug #2053271
  2. Activity log

Activity log for bug #2053271

Date Who What changed Old value New value Message
2024-02-15 19:44:22 Angelos Kolaitis bug added bug
2024-02-15 19:45:47 Angelos Kolaitis description ---- $ snap version snap 2.61.1 snapd 2.61.1 series 16 ubuntu 22.04 kernel 6.5.0-17-generic ---- The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46): owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountstats r, However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174 This results in an error message that reads like this: > open /proc/thread-self/mountinfo: permission denied And the respective apparmor denial is: > audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- We are able to fix the issue by adding the following line to the profile: owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, We would like this line to be added to snapd ---- $ snap version snap 2.61.1 snapd 2.61.1 series 16 ubuntu 22.04 kernel 6.5.0-17-generic ---- The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46): owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountstats r, However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174 This results in an error message that reads like this: > open /proc/thread-self/mountinfo: permission denied And the respective apparmor denial is: > audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ---- We are able to fix the issue by adding the following line to the profile: owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, We would like to extend the mount-observe profile to include this line if possible
2024-02-16 12:48:12 Philip Meulengracht snapd: assignee Philip Meulengracht (the-meulengracht)
2024-02-16 12:48:21 Philip Meulengracht snapd: status New In Progress
2024-02-19 07:50:32 Philip Meulengracht snapd: status In Progress Fix Committed