2024-02-15 19:45:47 |
Angelos Kolaitis |
description |
----
$ snap version
snap 2.61.1
snapd 2.61.1
series 16
ubuntu 22.04
kernel 6.5.0-17-generic
----
The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46):
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mountstats r,
However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174
This results in an error message that reads like this:
> open /proc/thread-self/mountinfo: permission denied
And the respective apparmor denial is:
> audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
We are able to fix the issue by adding the following line to the profile:
owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
We would like this line to be added to snapd |
----
$ snap version
snap 2.61.1
snapd 2.61.1
series 16
ubuntu 22.04
kernel 6.5.0-17-generic
----
The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46):
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mountstats r,
However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174
This results in an error message that reads like this:
> open /proc/thread-self/mountinfo: permission denied
And the respective apparmor denial is:
> audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
We are able to fix the issue by adding the following line to the profile:
owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
We would like to extend the mount-observe profile to include this line if possible |
|