snapd.apparmor.service uses apparmor_parser from base, instead of snapd snap

Bug #1952224 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
Undecided
Unassigned

Bug Description

snapd.apparmor.service uses apparmor_parser from base, instead of snapd snap

$ /snap/snapd/current/usr/lib/snapd/apparmor_parser --preprocess <<EOF
profile snap-test { capability bpf, }
EOF
profile snap-test { capability bpf, }

$ echo $?
0

$ /usr/sbin/apparmor_parser --preprocess <<EOF
profile snap-test { capability bpf, }
EOF
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf

$ echo $?
1

Nov 25 12:32:34 ubuntu systemd[1]: Starting Load AppArmor profiles managed internally by snapd...
Nov 25 12:32:34 ubuntu snapd-apparmor[2263]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14078 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu snapd-apparmor[2264]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14091 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu audit[2268]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.nvidia-assemble" >
Nov 25 12:32:34 ubuntu snapd-apparmor[2265]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14109 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu snapd-apparmor[2267]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.x1 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: I>
Nov 25 12:32:34 ubuntu snapd-apparmor[2266]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14156 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu audit[2269]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.pc" pid=2269 comm>
Nov 25 12:32:34 ubuntu audit[2271]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.nvidia-assemble.nvidia-asse>
Nov 25 12:32:34 ubuntu audit[2270]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.nvidia-assemble.hook.remove>
Nov 25 12:32:34 ubuntu audit[2272]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.pc.hook.configure" pid=2272>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:100): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:101): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:102): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu systemd[1]: snapd.apparmor.service: Main process exited, code=exited, status=123/n/a
Nov 25 12:32:34 ubuntu systemd[1]: snapd.apparmor.service: Failed with result 'exit-code'.
Nov 25 12:32:34 ubuntu systemd[1]: Failed to start Load AppArmor profiles managed internally by snapd.
Nov 25 12:32:34 ubuntu systemd[1]: snapd.service: Got notification message from PID 2243, but reception only permitted for main PID 1531

It seems to be partial fallout from vendoring apparmor in snapd snap, and yet not using it fully to parse the profiles.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Changed in snapd (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers