Access to /bin/date in strict confinement

ricardas · June 8, 2020, 6:59am

Is access to “/bin/date” allowed in strict confinement when using “time-control” interface? Is there some other interface that has to be used to gain access to “/bin/date”?

> $ sudo journalctl -f | grep my-snap01
> 
> Jun 03 15:41:43 box01 audit[2822]: AVC apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2822 comm="timedatectl.rea" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:43 box01 kernel: audit: type=1400 audit(1591191703.502:342): apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2822 comm="timedatectl.rea" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:43 box01 dbus-daemon[1098]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.66' (uid=0 pid=2822 comm="/usr/bin/timedatectl.real " label="snap.my-snap01.my-snap01 (enforce)")
> Jun 03 15:41:43 box01 my-snap01.my-snap01[1139]: /bin/date: cannot set date: Operation not permitted
> Jun 03 15:41:43 box01 audit[1556]: AVC apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/usr/bin/zdump" pid=1556 comm=54687265616420506F6F6C20576F72 requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:43 box01 kernel: audit: type=1400 audit(1591191703.978:344): apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/usr/bin/zdump" pid=1556 comm=54687265616420506F6F6C20576F72 requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 audit[2827]: AVC apparmor="DENIED" operation="exec" profile="snap.my-snap01.my-snap01" name="/usr/bin/zdump" pid=2827 comm=54687265616420506F6F6C20576F72 requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 kernel: audit: type=1400 audit(1591191704.010:345): apparmor="DENIED" operation="exec" profile="snap.my-snap01.my-snap01" name="/usr/bin/zdump" pid=2827 comm=54687265616420506F6F6C20576F72 requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 audit[2828]: AVC apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2828 comm="hostnamectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 kernel: audit: type=1400 audit(1591191704.166:346): apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2828 comm="hostnamectl" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 dbus-daemon[1098]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.68' (uid=0 pid=2828 comm="/usr/bin/hostnamectl " label="snap.my-snap01.my-snap01 (enforce)")
> Jun 03 15:41:44 box01 audit[1098]: USER_AVC pid=1098 uid=100 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.systemd1" pid=2828 label="snap.my-snap01.my-snap01" peer_pid=1 peer_label="unconfined"
> Jun 03 15:41:44 box01 kernel: audit: type=1107 audit(1591191704.330:347): pid=1098 uid=100 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="org.freedesktop.systemd1" pid=2828 label="snap.my-snap01.my-snap01" peer_pid=1 peer_label="unconfined"
> Jun 03 15:41:44 box01 audit[2833]: AVC apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2833 comm="timedatectl.rea" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Jun 03 15:41:44 box01 kernel: audit: type=1400 audit(1591191704.622:348): apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" name="/proc/1/sched" pid=2833 comm="timedatectl.rea" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

mborzecki · June 8, 2020, 7:51am

Running /usr/bin/date is allowed in the base template. Plugging time-control allows changing the date via timedatectl set-time.

This looks like something that that should not be actually causing a problem:

AVC apparmor="DENIED" operation="open" profile="snap.my-snap01.my-snap01" 
  name="/proc/1/sched" 
  pid=2822 comm="timedatectl.rea"
   requested_mask="r" denied_mask="r" fsuid=0 ouid=0

@jdstrand do you think we should explicitly allow/deny this access?

ricardas · June 8, 2020, 8:06am

I forgot to mention that I try to set the date using “/bin/date” and it fails. Getting the date using “/bin/date” works

mborzecki · June 8, 2020, 9:31am

This should fix your problem: https://github.com/snapcore/snapd/pull/8827 If security review approves it, then it should land in a point release (2.45.1 is out, so .2 or later).

jdstrand · June 8, 2020, 3:58pm

I reviewed and approved the PR.