snapd

netlink-audit interface should be blocked from performing connection on trusty

Bug #1946414 reported by Ian Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Committed
High
Alberto Mardegan

Bug Description

The netlink-audit interface includes the audit_read capability, which is not known to apparmor_parser from trusty. See this snap:

```yaml
name: test-snapd-netlink-audit

version: 1

apps:
  test-snapd-netlink-audit:
    command: bin.sh
    plugs:
      - netlink-audit
```

upon installing and attempting to connect the netlink-audit plug, this fails:

ubuntu@gainful-goshawk:~/test-snapd-netlink-audit$ sudo snap connect test-snapd-netlink-audit:netlink-audit
error: cannot perform the following tasks:
- Connect test-snapd-netlink-audit:netlink-audit to core:netlink-audit (cannot setup profiles for snap "test-snapd-netlink-audit": cannot load apparmor profiles: exit status 1
apparmor_parser output:
AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit in /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit at line 573: Invalid capability audit_read.
)

however the interface connection is left inside the state though, so any future connection for this snap also fails. See:

ubuntu@gainful-goshawk:~/test-snapd-netlink-audit$ sudo snap connect test-snapd-netlink-audit:netlink-audit
error: cannot perform the following tasks:
- Connect test-snapd-netlink-audit:netlink-audit to core:netlink-audit (cannot setup profiles for snap "test-snapd-netlink-audit": cannot load apparmor profiles: exit status 1
apparmor_parser output:
AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit in /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit at line 573: Invalid capability audit_read.
)
ubuntu@gainful-goshawk:~/test-snapd-netlink-audit$ sudo snap connect test-snapd-netlink-audit:system-observe
error: cannot perform the following tasks:
- Connect test-snapd-netlink-audit:system-observe to core:system-observe (cannot setup profiles for snap "test-snapd-netlink-audit": cannot load apparmor profiles: exit status 1
apparmor_parser output:
AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit in /var/lib/snapd/apparmor/profiles/snap.test-snapd-netlink-audit.test-snapd-netlink-audit at line 670: Invalid capability audit_read.
)

The fix here is probably to do the same thing we did for other recent interfaces which require certain apparmor features available, and to query apparmor for these features in the BeforeConnectPlug phase and if they are not available fail the BeforeConnectPlug function instead of failing in the AppArmorConnectedPlug function

Paweł Stołowski (stolowski)
Changed in snapd:
assignee: nobody → Alberto Mardegan (mardy)
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Alberto Mardegan (mardy) wrote :

Proposed fix: https://github.com/snapcore/snapd/pull/10938

Changed in snapd:
status: Confirmed → In Progress
Alberto Mardegan (mardy)
Changed in snapd:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.