Apparmor denied in prepare-device hooks

gary-wzl · October 24, 2017, 3:27am

Hi guys
I pre-shipped a gadget snap with strict confinement in my customized classic image. And the gadget snap has been uploaded to a brand store and manually reviewed. The hooks(prepare-device) shipped in gadget snap is trying to talk to the remote serial vault service to complete the device registration at the first boot.
I can see the gadget snap and core snap are both installed after the first boot.

ubuntu@ubuntu:~$ snap list
Name                 Version    Rev   Developer  Notes
classic-gadget-gary  1.0        1     garywzl77  gadget
core                 16-2.28.5  3247  canonical  core

But it gives nothing after I ran snap known serial. And the command snap changes show me an error during device Initialization.

ubuntu@ubuntu:~$ snap changes
ID   Status  Spawn                 Ready                 Summary
1    Done    2017-10-24T01:23:49Z  2017-10-24T01:23:54Z  Initialize system state
2    Error   2017-10-24T01:23:53Z  2017-10-24T01:23:59Z  Initialize device
3    Error   2017-10-24T01:28:59Z  2017-10-24T01:33:56Z  Initialize device
4    Error   2017-10-24T01:43:52Z  2017-10-24T01:49:00Z  Initialize device
5    Error   2017-10-24T01:50:30Z  2017-10-24T01:50:34Z  Initialize device
...

And the bunch of apparmor denial can be found at syslog

Oct 24 01:48:52 ubuntu kernel: [ 1525.891166] audit: type=1400 audit(1508809732.772:43): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1946 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.891312] audit: type=1400 audit(1508809732.772:44): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1946 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.891361] audit: type=1400 audit(1508809732.772:45): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1946 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.903420] audit: type=1400 audit(1508809732.784:46): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1952 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.903516] audit: type=1400 audit(1508809732.784:47): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1952 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.903560] audit: type=1400 audit(1508809732.784:48): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1952 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.926260] audit: type=1400 audit(1508809732.804:49): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1958 comm="snapctl" family="inet" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.926273] audit: type=1400 audit(1508809732.804:50): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1958 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"
Oct 24 01:48:52 ubuntu kernel: [ 1525.926278] audit: type=1400 audit(1508809732.804:51): apparmor="DENIED" operation="create" profile="snap.classic-gadget-gary.hook.prepare-device" pid=1958 comm="snapctl" family="inet6" sock_type="stream" protocol=6 requested_mask="create" denied_mask="create"

I suppose that fine-tuning the confinement of gadget snap strict to devmode or classic in the snap.yaml would workaround my problem. But to me, it’s more like a bug in snapd(snapctl) at the stage of running prepare-device hooks when a strict confinement gadget snap is installed in the system.

BR
Gary

gary-wzl · October 25, 2017, 2:05am

Declaring the two plugs in snap.yaml makes the above problem goes away.

hooks:
  prepare-device:
     plugs:
     - network-bind
     - network

Another finding is that when we pre-shipped a strict confinement gadget snap on pi3(ubuntu-core), we didn’t encounter the above apparmor denials even without those two plugs declared.
So is this a requirement only for classic gadgets?

pedronis · October 26, 2017, 4:39pm

@mvo, @zyga-snapd what’s the status for hooks using snapctl? do they need plugs? or not anymore? or it depends? (I lost track of this, thought that it was “fixed”)

jdstrand · October 26, 2017, 8:11pm

This issue is clearly another manifestation of https://bugs.launchpad.net/snappy/+bug/1595993, https://bugs.launchpad.net/snappy/+bug/1644573 and the related Hooks calling snapctl are broken with just Seccomp enabled. Perhaps golang doesn’t compile code that requires the apparmor network rules on ARM? Perhaps the denials were there but you didn’t wee them due to kernel rate limiting?

To work around this immediately, use (like you said):

hooks:
  prepare-device:
    plugs:
    - network-bind