Regarding comment https://bugs.launchpad.net/snapd/+bug/2141461/comments/4, that was incorrect to indicate only jammy in the testing plan. I have removed the reference to jammy. The exclusion to only s390x, on the other hand, is correct. Other architectures do not see this same issue and parse the stack to find auxv rather than falling back on the file. So this problem is exclusive to s390x
** Description changed: [SRU] 2.75.2 [ Impact ] snap-update-ns for LXD is blocked from accessing /proc/$pid/auxv [ Test Plan ] 1. Reproduce with snapd deb < 2.75 - Using a s390x Jammy system, install and run LXD and verify the AppArmor + Using a s390x system, install and run LXD and verify the AppArmor denial. 2. Prove fixed with snapd deb 2.75 - Using a s390x Jammy system, install and run LXD and verify the AppArmor - denial is missing. + Using a s390x system, install and run LXD and verify the AppArmor denial + is missing. [ Where problems could occur ] The change is isolated to adding read access to /proc/$pid/auxv in the AppArmor profile. No problems should occur. ---original--- snap-update-ns for lxd is trying to access /proc/$pid/auxv which is not permitted by App Armor in the profile snap-update-ns.lxd This results in a AppArmor Denied log in journal ['Feb 07 18:14:07 alan-jammy-uzzdrxwtvv audit[893]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.lxd" name="/proc/893/auxv" pid=893 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0'] Per Zygmunt, this could be a golang bug related to auxv Architecture: s390x Ubuntu Version: Jammy snapd version: 2.73+ubuntu22.04 Kernel version: linux-image-5.15.0-170-generic This was found when CPC was running tests on our Jammy images ** Description changed: [SRU] 2.75.2 [ Impact ] - snap-update-ns for LXD is blocked from accessing /proc/$pid/auxv + snap-update-ns for LXD is blocked from accessing /proc/$pid/auxv. The + attempted access only occurs on s390x architecture. [ Test Plan ] 1. Reproduce with snapd deb < 2.75 Using a s390x system, install and run LXD and verify the AppArmor denial. 2. Prove fixed with snapd deb 2.75 Using a s390x system, install and run LXD and verify the AppArmor denial is missing. [ Where problems could occur ] The change is isolated to adding read access to /proc/$pid/auxv in the AppArmor profile. No problems should occur. ---original--- snap-update-ns for lxd is trying to access /proc/$pid/auxv which is not permitted by App Armor in the profile snap-update-ns.lxd This results in a AppArmor Denied log in journal ['Feb 07 18:14:07 alan-jammy-uzzdrxwtvv audit[893]: AVC apparmor="DENIED" operation="open" profile="snap-update-ns.lxd" name="/proc/893/auxv" pid=893 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0'] Per Zygmunt, this could be a golang bug related to auxv Architecture: s390x Ubuntu Version: Jammy snapd version: 2.73+ubuntu22.04 Kernel version: linux-image-5.15.0-170-generic This was found when CPC was running tests on our Jammy images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2141461 Title: snap-update-ns for lxd is denied access to /proc/$pid/auxv To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2141461/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
