snapd

  1. Bug #2053271
  2. Comment #0

Comment 0 for bug 2053271

Revision history for this message
Angelos Kolaitis (aggkolaitis) wrote :

----
$ snap version
snap 2.61.1
snapd 2.61.1
series 16
ubuntu 22.04
kernel 6.5.0-17-generic

----

The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46):

owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mountstats r,

However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174

This results in an error message that reads like this:

> open /proc/thread-self/mountinfo: permission denied

And the respective apparmor denial is:

> audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

----

We are able to fix the issue by adding the following line to the profile:

owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,

We would like this line to be added to snapd