If I add the following to the apparmor profile (or put the profile in complain mode with "sudo sed -i 's/attach_disconnected/attach_disconnected,complain'/ /var/lib/snapd/apparmor/profiles/snap.core.hook.configure"):
network inet,
network inet6,
/run/snapd.socket rw,
and reload:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.core.hook.configure
then run hook:
$ sudo snap run --shell --hook=configure core # HANG
I can then add 'bind' to /var/lib/snapd/seccomp/profiles/snap.core.hook.configure and try again it runs without hanging:
$ sudo snap run --shell --hook=configure core # NO HANG
...
$
What the above clearly shows is that if apparmor policy is adjusted to not block the accesses snapctl is attempting, then snapctl hits a seccomp denial for bind. This explains why systems with apparmor disabled but seccomp enabled see this problem.
Digging into this more, if the apparmor policy is adjusted to have (and bind is removed from the seccomp policy):
I can reproduce the hang:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.core.hook.configure && sudo snap run --shell --hook=configure core # HANG
Ie, the '/run/snapd.socket rw' rule has no effect and is a red herring. I maintain my point in comment #4 that snapctl attempting to use /run/snapd.socket is causing confusion. Please either change snapctl or add 'deny /run/snapd.socket rw,' to all configure hook policy (I prefer the former since adding the explicit deny rule means a hook can never 'plugs: snapd-control).
What's interesting is that while Go's use of inet/inet6 (ie, bug #1644573) is triggering an inet and inet6 denial, there is a second inet6 denial that, when allowed, I suspect it allows the code to proceed to the point of the 'bind' seccomp denial. snapctl's use of bind() should be investigated and either avoided or conditionally add 'bind' to all configure hook policy.
This doesn't seem to have anything to do with upstream vs Ubuntu kernels. For example, on Ubuntu 16.04 LTS classic I see:
$ cat /proc/version_ signature
Ubuntu 4.4.0-66.87-generic 4.4.44
$ aa-enabled
Yes
$ snap list
Name Version Rev Developer Notes
core 16-2 1441 canonical -
# With AppArmor in strict mode
$ sudo snap run --shell --hook=configure core # NO HANG
...
$
with the following denials: 7.640:77) : apparmor="DENIED" operation="create" profile= "snap.core. hook.configure" pid=2407 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_ mask="create" denied_ mask="create" 7.640:78) : apparmor="DENIED" operation="create" profile= "snap.core. hook.configure" pid=2407 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_ mask="create" denied_ mask="create" 7.640:79) : apparmor="DENIED" operation="create" profile= "snap.core. hook.configure" pid=2407 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_ mask="create" denied_ mask="create" 7.644:80) : apparmor="DENIED" operation="open" profile= "snap.core. hook.configure" name="/ run/snapd. socket" pid=2407 comm="snapctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232237] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232471] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.232579] audit: type=1400 audit(149036679
Mar 24 09:46:37 sec-xenial-amd64 kernel: [ 4103.237185] audit: type=1400 audit(149036679
If I add the following to the apparmor profile (or put the profile in complain mode with "sudo sed -i 's/attach_ disconnected/ attach_ disconnected, complain' / /var/lib/ snapd/apparmor/ profiles/ snap.core. hook.configure" ):
network inet,
network inet6,
/run/snapd.socket rw,
and reload: snapd/apparmor/ profiles/ snap.core. hook.configure
$ sudo apparmor_parser -r /var/lib/
then run hook:
$ sudo snap run --shell --hook=configure core # HANG
I see: 6.272:82) : auid=1000 uid=0 gid=0 ses=1 pid=2440 comm="snapctl" exe="/usr/ bin/snapctl" sig=31 arch=c000003e syscall=49 compat=0 ip=0x563064039294 code=0x0
Mar 24 09:47:56 sec-xenial-amd64 kernel: [ 4181.864114] audit: type=1326 audit(149036687
$ scmp_sys_resolver 49
bind
I can then add 'bind' to /var/lib/ snapd/seccomp/ profiles/ snap.core. hook.configure and try again it runs without hanging:
$ sudo snap run --shell --hook=configure core # NO HANG
...
$
What the above clearly shows is that if apparmor policy is adjusted to not block the accesses snapctl is attempting, then snapctl hits a seccomp denial for bind. This explains why systems with apparmor disabled but seccomp enabled see this problem.
Digging into this more, if the apparmor policy is adjusted to have (and bind is removed from the seccomp policy):
#network inet,
network inet6,
#/run/snapd.socket rw,
I can reproduce the hang: snapd/apparmor/ profiles/ snap.core. hook.configure && sudo snap run --shell --hook=configure core # HANG
$ sudo apparmor_parser -r /var/lib/
Ie, the '/run/snapd.socket rw' rule has no effect and is a red herring. I maintain my point in comment #4 that snapctl attempting to use /run/snapd.socket is causing confusion. Please either change snapctl or add 'deny /run/snapd.socket rw,' to all configure hook policy (I prefer the former since adding the explicit deny rule means a hook can never 'plugs: snapd-control).
What's interesting is that while Go's use of inet/inet6 (ie, bug #1644573) is triggering an inet and inet6 denial, there is a second inet6 denial that, when allowed, I suspect it allows the code to proceed to the point of the 'bind' seccomp denial. snapctl's use of bind() should be investigated and either avoided or conditionally add 'bind' to all configure hook policy.