/bin/sync not allowed


Apparently our confinement blocks the execution of /bin/sync for all snapped apps, the only reference in the source for interfaces allowing to use this command are the docker and core-support interfaces which are both not for general use.

Since flushing caches to disk isnt actually an evil thing i was wondering if we could perhaps just enable the execution of /bin/sync for all snaps …


I would need to re-review this. I recall that it was an active decision to not include it, but can’t recall OTOH the reasons. I’ll be sure to review this before 2.32.


related bug:



We plan to have a 2.31.1 with some fixes, if the PR is trivial we could pull this in there as well


Looking at this more, we did review the sync family of syscalls and we allow them. It looks like we just omitted the binary from the apparmor policy. Today, snaps can ship their own sync. I’m preparing a PR for the apparmor update now.


This is committed to master. We’re working to also get it into 2.31.