Hrmmm another potential thing jumps out when looking at the journal. There are 3 log entries, same time, in the following order in the log.
Feb 04 18:21:43 ubuntu-Default-string kernel: audit: type=1400 audit(1770200503. 714:210): apparmor="STATUS" operation="profile_replace" profile="unconfined" nam e="/usr/lib/snapd/snap-confine" pid=1652 comm="apparmor_parser" Feb 04 18:21:43 ubuntu-Default-string docker.nvidia-container-toolkit[1768]: can not change apparmor hat: No child processes Feb 04 18:21:43 ubuntu-Default-string kernel: audit: type=1400 audit(1770200503. 718:211): apparmor="STATUS" operation="profile_replace" profile="unconfined" nam e="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1652 comm="a pparmor_parser" 1. the profile is load 2. the change_hat call fails 3. the child profile/hat is loaded this very much looks like a race. The question is whether it in the kernel or the load/start of the application. So I see two potential scenarios 1. Single invocation of the parser In this scenario profile load is run in parallel to the application. In such a way that it gets the initial profile load, and starts change_hat before the child profile can be loaded. This scenario seems very unlikely, but could theoretically happen if the due to locking/scheduing the child goes to sleep waiting for a lock. 2. Multiple parser/load invocations base profile is loaded, parser/load returns application is started, and the load of the child is started. application does change_hat load of child looses the race change_hat fails because child is not yet loaded (it could be in the process of loading, waiting on a lock etc) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139664 Title: snap service cannot change apparmor hat To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/2139664/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
