snapd

snapctl causes hooks to attempt to open ip/ipv6 tcp connection

Bug #1644573 reported by Didier Roche-Tolomelli
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
snapd
Triaged
High
Unassigned

Bug Description

standard configuration hook using snapctl get: https://github.com/ubuntu/snow-on-me-snap/blob/master/meta/hooks/configure

No plugs set to it, as it's only fetching some data from snapctl and write/update config files.

Running it causes a lot of apparmor denials in syslogs:
Nov 24 12:31:33 localhost.localdomain /usr/lib/snapd/snapd[1106]: daemon.go:174: DEBUG: uid=1000;@ PUT /v2/snaps/snow-on-me/conf 53.830573ms 202
Nov 24 12:31:33 localhost.localdomain /usr/lib/snapd/snapd[1106]: taskrunner.go:353: DEBUG: Running task 323 on Do: Run configure hook of "snow-on-me" snap
Nov 24 12:31:33 localhost.localdomain audit[1784]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.543:40): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.543:41): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.543:42): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1784]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1784]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1784 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1784]: AVC apparmor="DENIED" operation="open" profile="snap.snow-on-me.hook.configure" name="/run/snapd.socket" pid=1784 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.567:43): apparmor="DENIED" operation="open" profile="snap.snow-on-me.hook.configure" name="/run/snapd.socket" pid=1784 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 24 12:31:33 localhost.localdomain /usr/lib/snapd/snapd[1106]: daemon.go:174: DEBUG: @ POST /v2/snapctl 2.184682ms 200
Nov 24 12:31:33 localhost.localdomain audit[1791]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1791]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1791]: AVC apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.619:44): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.619:45): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.619:46): apparmor="DENIED" operation="create" profile="snap.snow-on-me.hook.configure" pid=1791 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Nov 24 12:31:33 localhost.localdomain audit[1791]: AVC apparmor="DENIED" operation="open" profile="snap.snow-on-me.hook.configure" name="/run/snapd.socket" pid=1791 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 24 12:31:33 localhost.localdomain kernel: audit: type=1400 audit(1479990693.639:47): apparmor="DENIED" operation="open" profile="snap.snow-on-me.hook.configure" name="/run/snapd.socket" pid=1791 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Nov 24 12:31:33 localhost.localdomain /usr/lib/snapd/snapd[1106]: daemon.go:174: DEBUG: @ POST /v2/snapctl 2.114525ms 200

Zyga looked into it, and it seems the issue is that go (used in snapctl) has some peculiar code in the standard library that makes it bind to ip / ipv6 sockets to check if ipv6 is supported

Zygmunt Krynicki (zyga)
Changed in snappy:
assignee: nobody → Zygmunt Krynicki (zyga)
importance: Undecided → High
Michael Vogt (mvo)
Changed in snappy:
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I looked into this a little wondering if seccomp arg filtering would help. It does not as demonstrated by:
$ sudo strace -e trace=socket -f snapctl
strace: Process 10062 attached
[pid 10060] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
[pid 10060] socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 3
[pid 10060] socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 4
...
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
[pid 10064] socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
error: snapctl cannot run without args

The PF_INET and PF_INET6 indicate why it is triggering the network rules (I would have expected it to only use PF_LOCAL/PF_UNIX/AF_LOCAL/AF_UNIX since this is a unix socket. If this is blocking people while Zygmunt investigates this, plug the network interface for this hook (snapd could do this itself).

Revision history for this message
Simon Fels (morphis) wrote :

This gets a problem for any snap package (!core, as that has network-bind connected now) shipping a hook on distributions where we have AppArmor disabled and Seccomp enabled.

Revision history for this message
Simon Fels (morphis) wrote :

See https://forum.snapcraft.io/t/hooks-calling-snapctl-are-broken-with-just-seccomp-enabled/658/7 for the discussion.

https://github.com/snapcore/snapd/pull/3394 provides the discussed change.

For Fedora and openSUSE we're landing a distro patch in the mean time.

Zygmunt Krynicki (zyga)
Changed in snappy:
assignee: Zygmunt Krynicki (zyga) → nobody
Michael Vogt (mvo)
affects: snappy → snapd
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.