snapd

Cannot parse seccomp profile in snapd update

Bug #1882221 reported by Jose Alvarado
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Triaged
Low
Unassigned

Bug Description

An update to snapd now prevents [`snap-seccomp`](https://forum.snapcraft.io/t/seccomp-profile-not-compiling/16792/2?u=zjoseal) from parsing seccomp profiles. I hadn't recompiled a seccomp profile in a week, so I don't know the exact change, but I can recreate the issue.

I get no errors with versions:
```
ubuntu@ip-172-31-18-210:~$ snap version
snap 2.37.4+18.04
snapd 2.37.4+18.04
series 16
ubuntu 18.04
kernel 4.15.0-1034-aws
```

However, after updating snap by installing the `core18` and `snapd` snaps
```
ubuntu@ip-172-31-18-210:~$ snap version
snap 2.45
snapd 2.45
series 16
ubuntu 18.04
kernel 4.15.0-1034-aws
```
I get
```
ubuntu@ip-172-31-18-210:/var/lib/snapd/seccomp/bpf$ sudo /usr/lib/snapd/snap-seccomp compile snap.core.hook.configure.src snap.core.hook.configure.bin
error: cannot parse line: cannot parse token "-1" (line "chown - u:root -1")
```
This happens whenever I try to recompile any profile, even ones I haven't touched.

Is there an upcoming patch for this? This doesn't change on `edge`.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I tried reproducing this on my 20.04 system but without success.
I tried reproducing this on my 18.04 system equally without success.

My 18.04 system was running a different kernel, 5.3.0

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I booted my 16.04 system running a more similar 4.15 kernel but here it also worked fine.

Revision history for this message
Jose Alvarado (zjoseal) wrote :

Interesting. Are you installing/refreshing `snapd`?
```
ubuntu@ip-172-31-18-210:~$ snap list
Name Version Rev Tracking Publisher Notes
amazon-ssm-agent 2.3.714.0 1566 latest/stable/… aws✓ classic
core 16-2.45 9289 latest/stable canonical✓ core
core18 20200427 1754 latest/stable canonical✓ base
snapd 2.45 7777 latest/stable canonical✓ snapd
```

Also, sorry but I first posted on the [Snapcraft Forum](https://forum.snapcraft.io/t/cannot-parse-seccomp-profile-in-snapd-update/18007/4).
Would it be better to have the conversation there?

Revision history for this message
Maciej Borzecki (maciek-borzecki) wrote :

Does this work?

/snap/snapd/current/usr/lib/snapd/snap-seccomp compile snap.core.hook.configure.src snap.core.hook.configure.bin

Revision history for this message
Ian Johnson (anonymouse67) wrote :

This can be reproduced by launching a bionic LXD container or a VM, and downgrading snapd to the latest package available from bionic-security pocket which is 2.37, then installing the core snap with `snap install core`. Then you will have a system with profiles on it that include support for i.e. system-usernames and thus supports lines like `chown - u:root -1`, however your host system tools at /usr/lib/snapd/snap-seccomp that do not re-exec (such as snap-seccomp) will be too old to be able to work with the new profiles that are available from the core snap (or in this case the snapd snap).

IMHO the right thing to do to fix this bug is to make snap-seccomp and other "user facing" tools re-exec or otherwise expose them via `snap debug` in a friendly way that handles re-exec properly, because as it is right now users have to know about re-exec and then track down which place that it will be re-execing to and execute the tool from there, which is quite confusing.

We may document in the short-term how users can track down that re-exec on i.e. https://docs.ubuntu.com/core/en/guides/intro/security, but that's just a hotfix in my opinion.

Changed in snappy:
status: New → Confirmed
importance: Undecided → Medium
status: Confirmed → Triaged
importance: Medium → Low
Michael Vogt (mvo)
affects: snappy → snapd
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.