Snappy

Calling snapctl with snapd 2.17/2.18 causes AppArmor denials in dmesg because of access to /run/snapd.socket

Bug #1648427 reported by Simon Fels
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Snappy
Triaged
High
Unassigned

Bug Description

Calling snapctl from the configure hook from within a snap causes the following denials

[ 6639.038089] audit: type=1400 audit(1481196092.601:73): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2077 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
[ 6639.038177] audit: type=1400 audit(1481196092.601:74): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2077 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
[ 6639.038706] audit: type=1400 audit(1481196092.605:75): apparmor="DENIED" operation="create" profile="snap.network-manager.hook.configure" pid=2077 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
[ 6639.040053] audit: type=1400 audit(1481196092.605:76): apparmor="DENIED" operation="open" profile="snap.network-manager.hook.configure" name="/run/snapd.socket" pid=2077 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

The hook itself is correctly executed and can retrieve the configuration items via snapctl.

Revision history for this message
Michael Vogt (mvo) wrote :

This is because in client/client.go we use os.OpenFile(dirs.SnpadSocket) and on EACCESS we re-try with dirs.SnapSocket. This of course causes some spam in dmesg.

Changed in snappy:
importance: Undecided → High
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.