Unity8 Session Snap

Excessive apparmor event logging

Bug #1655992 reported by Pat McGowan
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Unity8 Session Snap
New
Undecided
Unassigned

Bug Description

While a user session with Unity8 is active, syslog gets continuous log entries of the following kind

Jan 12 09:55:29 samsung930X3G dbus[10741]: apparmor="ALLOWED" operation="dbus_signal" bus="session" path="/com/ubuntu/Upstart" interface="com.ubuntu.Upstart0_6" member="EventEmitted" mask="send" name="org.freedesktop.DBus" pid=7835 label="snap.unity8-session.unity8-session" peer_pid=7943 peer_label="snap.unity8-session.unity8-session"

and

Jan 12 09:57:48 samsung930X3G kernel: [31863.034623] audit: type=1400 audit(1484233068.389:5098320): apparmor="ALLOWED" operation="open" profile="snap.unity8-session.unity8-session" name="/snap/unity8-session/309/lib/libsnap-preload-shim.so" pid=14543 comm="id" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

so rather than a typical 3MB log I have 130MB files before rolling.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The first denial is because there isn't a unity8 interface that allows the access. Therefore, the access is a policy violation and it is logged (but allowed).

The second denial looks like it should be allowed, but if the snap got upgraded in the background from behind the running unity8 session, it would not because there are no rules in the policy to allow reading other revisions in /snap/SNAP_NAME. I'll fix the second, but be aware of this related bug #1616650.

Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

Added snap declarations for the plugs in unity8 which will quiet some of these.

Need to create a PR for the slot side of the unity8 interface to quiet the other denials.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

From IRC:
08:14 < jdstrand> pmcgowan: someone could submit an inprogress interface to at least cut down on the logging. also, I see things in there with network manager-- the unity8-session snap could 'plugs: [ network-manager ]' and then people could connect that interface (or a snap declaration could auto connect it)
08:14 < jdstrand> pmcgowan: making sure that the interface connections are in place will also cut down on the logging
08:15 < jdstrand> it may feel weird that you need to do interface connections with devmode, but if you remember that devmode is for reporting violations against policy, then it makes more sense
08:16 < jdstrand> for reporting violations against policy so that they can be addressed in policy later*
...
08:25 < jdstrand> pmcgowan: updated the snap declaration to have: http://paste.ubuntu.com/23792402/
08:25 < jdstrand> I don't think that will affect refresh, but it will affect new installs
08:26 < pmcgowan> jdstrand, thanks did you make an MR?
08:26 < jdstrand> pmcgowan: for the snap declaration, that is a store reviewer thing. it is live now
...
08:27 < jdstrand> pmcgowan: I'm preparing a PR for the previous revision bug
...
08:28 < jdstrand> pmcgowan: np. if someone wants to send up a PR for at least the slot side of the unity8 interface, we can get to addressing the other denial
"

Here is the aforementioned PR: https://github.com/snapcore/snapd/pull/2629

Between the snap declaration and the PR, then quite a few things will not be logged, but please push up a unity8 interface to address the others.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.