[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
So while I don't think we are where snapd can get rid of the snap- confine.internal snippets, with it now vendoring a more recent apparmor, a lot of these can drop away. It doesn't need to detect capabilities anymore. It can just specify deny capability perfmon, and it will work, for all kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
@neigin: yes the capability to resolve this exists. So now it is a matter of getting it functioning in snapd for these cases. This will get resolved I just can't say when it will land. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
If this every going to be resolved? I'm tired of seeing these apparmor DENIED messages in my syslog. [Wed May 1 10:33:40 2024] audit: type=1400 audit(1714577621.012:30): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6126 comm="snap-confine" capability=12 capname="net_admin" [Wed May 1 10:33:40 2024] audit: type=1400 audit(1714577621.012:31): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6126 comm="snap-confine" capability=38 capname="perfmon" [Wed May 1 10:52:39 2024] audit: type=1400 audit(1714578760.293:32): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6527 comm="snap-confine" capability=12 capname="net_admin" [Wed May 1 10:52:39 2024] audit: type=1400 audit(1714578760.293:33): apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6527 comm="snap-confine" capability=38 capname="perfmon" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
The fsetid is actually quite old (at least 3 years; there may have been a Trello card for it). At one point it came in and I did analysis and tweaked the order of the priv dropping in snap-confine to get rid of it. Then some stuff was added to snap-confine and it came back. I always had it as a to-do to work through it, but weighing the necessity of keeping the priv-dropping solid vs getting rid of the noisy denial always kept it on the back-burner. Bottom line, the fsetid has to do with the delicate drop/raise/.../full drop dance we do and isn't new. I think you should keep that separate from these other two. The new ones feel like it's a delegation issue with the new kernel (ie where it depends on what is launching snap-confine/what snap-confine is launching), but maybe it is just as simple as the 5.15 kernel has new capabilities checks for things it didn't before. When looking at this, remember that the kernel rate limits capability denials differently than say, file rules and that it can be difficult to trigger the denials reliably without taking additional steps. John can help you with these techniques. I recall wanting to pull my hair out when investigating the fsetid denial until I nailed down how to get the logged denial reliably :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
Thanks for the heads up @jdstrand - I am seeing this too - I also have one more - fsetid: $ journalctl -b0 -t audit --grep DENIED.*snap-confine Apr 06 08:48:06 graphene audit[3733]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=3733 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:06 graphene audit[3733]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=3733 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:07 graphene audit[4545]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4545 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:07 graphene audit[4545]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4545 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:07 graphene audit[4614]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4614 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:07 graphene audit[4614]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4614 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:07 graphene audit[4682]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4682 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:07 graphene audit[4682]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4682 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:08 graphene audit[4745]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4745 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:08 graphene audit[4745]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=4745 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:26 graphene audit[8216]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8216 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:48:26 graphene audit[8216]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8216 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:48:27 graphene audit[8221]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=8221 comm="snap-confine" capability=4 capname="fsetid" Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=12 capname="net_admin" Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=38 capname="perfmon" Apr 06 08:49:22 graphene audit[11287]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=11287 comm="snap-confine" capability=4 capname="fsetid" Apr 06 08:51:05 graphene audit[14806]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=14806 comm="snap-confine" capability=4 capname="fsetid" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: snapd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1967884] Re: several snap-confine denials for capability net_admin and perfmon on 22.04
** Summary changed: - several snap-confine denials for capability net_admin on 22.04 + several snap-confine denials for capability net_admin and perfmon on 22.04 ** Description changed: I recently upgraded to 22.04 and started seeing denials like: - Apr 5 08:57:39 localhost kernel: [ 31.386426] audit: type=1400 audit(1649167059.397:267): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=2333 comm="snap-confine" capability=12 capname="net_admin" - Apr 5 08:58:14 localhost kernel: [ 66.234135] audit: type=1400 audit(1649167094.420:274): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5400 comm="snap-confine" capability=12 capname="net_admin" - Apr 5 08:59:50 localhost kernel: [ 162.033225] audit: type=1400 audit(1649167190.215:293): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=7166 comm="snap-confine" capability=12 capname="net_admin" + Apr 05 09:38:51 iolanthe audit[5815]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5815 comm="snap-confine" capability=12 capname="net_admin" + Apr 05 09:38:51 iolanthe audit[5815]: AVC apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5815 comm="snap-confine" capability=38 capname="perfmon" + Apr 05 09:38:51 iolanthe kernel: audit: type=1400 audit(1649169531.339:277): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5815 comm="snap-confine" capability=12 capname="net_admin" + Apr 05 09:38:51 iolanthe kernel: audit: type=1400 audit(1649169531.339:278): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=5815 comm="snap-confine" capability=38 capname="perfmon" I've not been able to figure out what is causing this and will add more details if I do. Filing this in case other see it too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1967884 Title: several snap-confine denials for capability net_admin and perfmon on 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1967884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs