Cannot mount squashfs image using "squashfs": ... Operation not permitted

mborzecki · October 28, 2019, 11:30am

The relevant part of the log:

2797385: libmount: LOOP: [0x555d00479460]: not found; create a new loop device 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: initialize context 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: init: ignore ioctls 
2797385: libmount: LOOP: [0x555d00479460]: enabling AUTOCLEAR flag 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: find_unused requested 
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: using loop scan 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: initialize 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next: default check
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop0 name assigned
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop0 does not exist
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop1 name assigned 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop1 does not exist 
...
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: loop7 name assigned 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: /dev/loop7 does not exist 
2797385: loopdev: ITER: [0x7ffc4d1aa760]: next: scanning /dev 
2797385: loopdev: ITER: scan dir: /dev/ 
...
2797385: loopdev: CXT: [0x7ffc4d1aa5d0]: find_unused by scan [rc=1] 
...
2797385: libmount: CXT: [0x555d00479460]: mount: preparing failed 
2797385: libmount: CXT: [0x555d00479460]: excode: rc=1 message="mount failed: Operation not
permitted" mount: /tmp/sanity-mountpoint-326453316: mount failed: Operation not permitted.

Which indicates that loopdev cannot for some reason access /dev/loop-control and goes into /dev/scanning mode. The difference is, in the loop-control mode mount would do LOOP_CTL_GET_FREE which allocates a new device when none are free. In the /dev scanning mode, it does not create new devices, but instead tries to use the existing ones, by trying some pre-determined set of device names.

This does not explain why mount invoked by snapd cannot access /dev/loop-control. On my vanilla Arch, with the default systemd setup and the service unit that came from the package, it can.

Looking at util-linux all it does is a simple stat on /dev/loop-control:

github.com

karelzak/util-linux/blob/master/lib/loopdev.c#L189-L192


	if (!(lc->flags & LOOPDEV_FL_CONTROL) && !stat(_PATH_DEV_LOOPCTL, &st)) {
		lc->flags |= LOOPDEV_FL_CONTROL;
		DBG(CXT, ul_debugobj(lc, "init: loop-control detected "));

I would guess there’s some limitation applied in your local system configuration. Maybe check if PrivateDevices isn’t set by systemd on snapd.service.

Edit: and double check that the loop module can actually by loaded into the kernel.