---- $ snap version snap 2.61.1 snapd 2.61.1 series 16 ubuntu 22.04 kernel 6.5.0-17-generic
----
The mount-observe interface allows reading the following files (from https://github.com/snapcore/snapd/blob/master/interfaces/builtin/mount_observe.go#L46):
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountstats r,
However, processes might want to retrieve the info from /proc/thread-self/mountinfo instead, which resolves to /proc/$pid/task/$task/mountinfo, e.g. https://github.com/moby/sys/blob/mountinfo/v0.7.1/mountinfo/mountinfo_linux.go#L139-L174
This results in an error message that reads like this:
> open /proc/thread-self/mountinfo: permission denied
And the respective apparmor denial is:
> audit: type=1400 audit(1708025745.628:677): apparmor="DENIED" operation="open" class="file" profile="snap.k8s.k8sd" name="/proc/1751/task/3006/mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
We are able to fix the issue by adding the following line to the profile:
owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
We would like this line to be added to snapd
----
$ snap version
snap 2.61.1
snapd 2.61.1
series 16
ubuntu 22.04
kernel 6.5.0-17-generic
----
The mount-observe interface allows reading the following files (from https:/ /github. com/snapcore/ snapd/blob/ master/ interfaces/ builtin/ mount_observe. go#L46):
owner @{PROC} /@{pid} /mounts r, /@{pid} /mountinfo r, /@{pid} /mountstats r,
owner @{PROC}
owner @{PROC}
However, processes might want to retrieve the info from /proc/thread- self/mountinfo instead, which resolves to /proc/$ pid/task/ $task/mountinfo , e.g. https:/ /github. com/moby/ sys/blob/ mountinfo/ v0.7.1/ mountinfo/ mountinfo_ linux.go# L139-L174
This results in an error message that reads like this:
> open /proc/thread- self/mountinfo: permission denied
And the respective apparmor denial is:
> audit: type=1400 audit(170802574 5.628:677) : apparmor="DENIED" operation="open" class="file" profile= "snap.k8s. k8sd" name="/ proc/1751/ task/3006/ mountinfo" pid=230818 comm="k8sd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
----
We are able to fix the issue by adding the following line to the profile:
owner @{PROC} /@{pid} /task/@ {tid}/mountinfo r,
We would like this line to be added to snapd