I pulled a clean 20.04 cloud image VM from https://cloud-
images.ubuntu.com/focal/current/
root@ubuntu:/home/guest# grep PRETTY /etc/os-release
PRETTY_NAME="Ubuntu 20.04.4 LTS"
root@ubuntu:/home/guest# uname -a
Linux ubuntu 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022
x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:/home/guest# echo 'profile snap-test { capability bpf, }' |
apparmor_parser --preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
as expected:
root@ubuntu:/home/guest# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
root@ubuntu:/home/guest# snap list lxd
Name Version Rev Tracking Publisher Notes
lxd 4.0.9 22526 4.0/stable/… canonical✓ -
root@ubuntu:/home/guest# lxd init --auto
root@ubuntu:/home/guest# lxc launch images:ubuntu/20.04 c1
Creating c1
Starting c1
root@ubuntu:/home/guest# lxc exec c1 -- apt install snapd -y
..
root@ubuntu:/home/guest# lxc exec c1 -- snap list
No snaps are installed yet. Try 'snap install hello-world'.
As expected bpf isn't supported by apparmor_parser:
root@c1:~# echo 'profile snap-test { capability bpf, }' |
apparmor_parser --preprocess
restarted the guest:
root@ubuntu:/home/guest# lxc restart c1
and it's still the same:
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser
--preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
The only difference is that I didn't install or run distrobuilder. So I
proceeded to do it.
root@c1:~# snap install distrobuilder --edge --classic
2022-03-12T09:17:52Z INFO Waiting for automatic snapd restart...
distrobuilder (edge) git-f883431 from Stéphane Graber (stgraber) installed
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser
--preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
and restart:
root@c1:~# exit
root@ubuntu:/home/guest# lxc restart c1
root@ubuntu:/home/guest# lxc exec c1 -t /bin/bash
root@c1:~# echo 'profile snap-test { capability bpf, }' | apparmor_parser
--preprocess
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpfroot@c1:~#
root@c1:~#
root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf
cat: /var/lib/snapd/apparmor/snap-confine/cap-bpf: No such file or directory
root@c1:~# systemctl status snapd.apparmor
● snapd.apparmor.service - Load AppArmor profiles managed internally by snapd
Loaded: loaded (/lib/systemd/system/snapd.apparmor.service; enabled;
vendor preset: enabled)
Drop-In: /run/systemd/system/service.d
└─zzz-lxc-service.conf
Active: active (exited) since Sat 2022-03-12 09:18:46 UTC; 47s ago
Process: 134 ExecStart=/usr/lib/snapd/snapd-apparmor start (code=exited,
status=0/SUCCESS)
Main PID: 134 (code=exited, status=0/SUCCESS)
Mar 12 09:18:46 c1 systemd[1]: Starting Load AppArmor profiles managed
internally by snapd...
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 47:
ns_stacked: not found
Mar 12 09:18:46 c1 snapd-apparmor[134]: /usr/lib/snapd/snapd-apparmor: 48:
ns_name: not found
Mar 12 09:18:46 c1 systemd[1]: Finished Load AppArmor profiles managed
internally by snapd.
root@c1:~# exit
root@ubuntu:/home/guest# lxc exec c1 -- distrobuilder
System container image builder for LXC and LXD
Usage:
distrobuilder [command]
Available Commands:
build-dir Build plain rootfs
build-lxc Build LXC image from scratch
build-lxd Build LXD image from scratch
help Help about any command
pack-lxc Create LXC image from existing rootfs
pack-lxd Create LXD image from existing rootfs
repack-windows Repack Windows ISO with drivers included
Flags:
--cache-dir Cache directory
--cleanup Clean up cache directory (default true)
--debug Enable debug output
--disable-overlay Disable the use of filesystem overlays
-h, --help help for distrobuilder
-o, --options Override options (list of key=value)
-t, --timeout Timeout in seconds
--version Print version number
Use "distrobuilder [command] --help" for more information about a
command.
The I proceeded to refresh lxd from latest:
root@ubuntu:/home/guest# snap refresh --channel latest/stable lxd
lxd 4.23 from Canonical✓ refreshed
The rest of the steps are the same, everything works OOTB, there's no
cap-bpf as snapd did not detect such support in apparmor_parser and I
can't reproduce the problem.
If `echo 'profile snap-test { capability bpf, }' | apparmor_parser
--preprocess` fails, then snapd will generate the snippet for snap-
confine.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964636
Title:
Incorrect handling of apparmor `bpf` capability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1964636/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
