Cannot perform readlinkat() on 4.13.0-45

DanielBull · June 14, 2018, 10:20am

Apologies if this has been posted before, I had a look but only spotted problems with older kernels.

I’m seeing failures on all my Kubuntu 17.10 boxes when trying to run any snaps…

$ uname -a
Linux hostname 4.13.0-45-generic #50-Ubuntu SMP Wed May 30 08:23:18 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ snap list
Name Version Rev Tracking Developer Notes
core 16-2.32.8 4650 stable canonical core
…

$ spotify
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
$ gotop
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
$ tldr
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied
…

DanielBull · June 14, 2018, 10:22am

Sorry should have mentioned the issue started sometime either yesterday (13th June) or the day before. Possibly with a kernel update or something?

jdstrand · June 14, 2018, 1:14pm

What is the output of snap version? Do you see any denials in the logs? Eg, sudo journalctl | grep audit: (at the time of the error).

FYI @zyga-snapd (this is coming from sc_reassociate_with_pid1_mount_ns() in snap-confine).

DanielBull · June 14, 2018, 2:26pm

$ snap version
snap 2.32.9+17.10
snapd 2.32.9+17.10
series 16
ubuntu 17.10
kernel 4.13.0-45-generic

$ sudo journalctl | grep audit:
Jun 14 15:25:48 hostname kernel: audit: type=1400 audit(1528986348.019:52): apparmor=“DENIED” operation=“capable” profile="/usr/lib/snapd/snap-confine" pid=9706 comm=“snap-confine” capability=19 capname=“sys_ptrace”

jdstrand · June 14, 2018, 2:28pm

@zyga-snapd, it seems like snap-confine needs to now have ‘capability sys_ptrace,’. This is not surprising as the ptrace capability is overloaded (see ‘man capabilities’, but that list is incomplete).

jdstrand · June 14, 2018, 2:29pm

@DanielBull - if you add to /etc/apparmor.d/usr.lib.snapd.snap-confine the following:

capability sys_ptrace,

Then run sudo apparmor_parser -r /etc/apparmor.d/usr.lib.snapd.snap-confine, do things start to work again?

jdstrand · June 14, 2018, 2:30pm

@mvo, @zyga-snapd - this seems like something for 2.33.1.

zyga-snapd · June 14, 2018, 2:30pm

We can certainly add it though I don’t understand what happened here. 4.13 is an older release. Is this a regression?

DanielBull · June 14, 2018, 2:33pm

OK provided I did that correctly I have a new error…
Jun 14 15:31:32 hostname kernel: audit: type=1400 audit(1528986692.478:56): apparmor=“DENIED” operation=“ptrace” profile="/usr/lib/snapd/snap-confine" pid=11188 comm=“snap-confine” requested_mask=“trace” denied_mask=“trace” peer=“unconfined”

I’m not skilled with apparmor but I guess I need to add operation ptrace in that same file. Let me try.

jdstrand · June 14, 2018, 2:34pm

@zyga-snapd - it could be a kernel regression or an intentional change in the kernel. It isn’t clear from https://launchpad.net/ubuntu/+source/linux/4.13.0-45.50 but the point is, I’m not surprised that sys_ptrace is needed for that readlinkat and so the change is good on its own merits.

jdstrand · June 14, 2018, 2:36pm

You need: ptrace (trace) peer=unconfined,

This is an unfortunate, but again, not totally unexpected denial.

zyga-snapd · June 14, 2018, 2:37pm

I’ll prepare a PR

CC @mvo - we will need a small add-on to 2.33

zyga-snapd · June 14, 2018, 2:40pm

@jdstrand snap-confine’s apparmor profile already has

trace trace peer=unconfined (note that lack of parentheses)
capability sys_ptrace

As such … reporter, can you please pastebin /etc/apparmor.d/usr.lib.snapd.snap.confine.real

DanielBull · June 14, 2018, 2:40pm

OK new one…

$ spotify
cannot create lock directory /run/snapd/lock: Permission denied

Jun 14 15:39:12 hostname kernel: audit: type=1400 audit(1528987152.377:66): apparmor=“DENIED” operation=“mkdir” profile="/usr/lib/snapd/snap-confine" name="/run/snapd/lock/" pid=13151 comm=“snap-confine” requested_mask=“c” denied_mask=“c” fsuid=0 ouid=0

jdstrand · June 14, 2018, 2:41pm

@DanielBull - something is wrong with your profile it seems. Please respond to @zyga-snapd’s request.

DanielBull · June 14, 2018, 2:41pm

Yes will do… doing now

zyga-snapd · June 14, 2018, 2:42pm

I bet you are running with a very old apparmor profile for snap-confine. I’m also surprised you are not using snapd re-execution (where snapd uses core snap to update itself).

When snapd.deb was updated, did you choose to keep existing “conf file” in /etc/apparmor.d? If so that would explain a lot of the errors you are seeing.

DanielBull · June 14, 2018, 2:47pm

Is the file (It doesn’t exist with the dot):
/etc/apparmor.d/usr.lib.snapd.snap-confine.real

Pasting now.

I don’t recall keeping any existing config files for snap or being given the choice but I can’t say it definitely didn’t happen.

It is odd I am seeing it on multiple boxes though.

zyga-snapd · June 14, 2018, 2:48pm

From the profile itself:

    # support for the mount namespace sharing
    capability sys_ptrace,
    # allow snap-confine to read /proc/1/ns/mnt
    ptrace trace peer=unconfined,
...
    # support for locking
    /run/snapd/lock/ rw,
    /run/snapd/lock/*.lock rwk,

What happens when you run:

sudo apparmor_parser -r /etc/apparmor.d/usr.lib.snapd.snap-confine.real

DanielBull · June 14, 2018, 2:52pm

It works thanks! So somehow I got my apparmor config in a mess? Thanks for your time.