Can't debug snap security log on mainline kernel 4.15

mmtrt · February 4, 2018, 4:17am

just upgraded to mainline kernel on 16.04 LTS and I then thought to continue my snaps development so far not getting any app-armor log of local snaps.

snap version

snap    2.30
snapd   2.30
series  16
ubuntu  16.04
kernel  4.15.0-041500-generic

snap debug confinement
partial

on cold boot PC and then started my local snaps then below denial is shown.

syslog
apparmor="DENIED" operation="capable" profile="/snap/core/3887/usr/lib/snapd/snap-confine" pid=4873 comm="snap-confine" capability=2 capname="dac_read_search"

mmtrt · February 4, 2018, 8:35am

Probably mainline kernel is not yet patched for snapd and for older ubuntu versions so better use current hwe kernel for lts where it is supported & properly patched for debug confinement.

jdstrand · February 5, 2018, 8:05pm

While I agree that on Ubuntu using the Ubuntu hwe kernel is going to give you full snapd support, it would be good to understand the 4.15 behavior since there might be regressions there.

Where did you get the 4.15 kernel? What are the exact steps to reproduce?

mmtrt · February 6, 2018, 4:37am

Warning!!! Any other user that is seeing this post do not use this on your main PC it will break hard you have been warned.

First I downloaded these from kernel ppa site well now newer version 4.15.1 is uploaded there anyways below files are exactly that I used.

Steps I did

Downloaded three deb files

linux-headers-4.15.0-041500_4.15.0-041500.201802011154_all.deb
linux-headers-4.15.0-041500-generic_4.15.0-041500.201802011154_amd64.deb
linux-image-4.15.0-041500-generic_4.15.0-041500.201802011154_amd64.deb

Then installed these from download dir one by one

sudo apt install ./linux-headers-4.15.0-041500_4.15.0-041500.201802011154_all.deb
sudo apt install ./linux-headers-4.15.0-041500-generic_4.15.0-041500.201802011154_amd64.deb
sudo apt install ./linux-image-4.15.0-041500-generic_4.15.0-041500.201802011154_amd64.deb

Then I rebooted system so it boots that kernel and after that I went on debugging my snaps had above issue that I posted on first post.

jdstrand · February 6, 2018, 4:19pm

Thank you for these details. I was unable to reproduce in a xenial VM. Here is what I did:

$ ssh vm
$ sudo snap install core
$ sudo snap install hello-world
$ sudo snap install snappy-debug
$ hello-world
$ sudo hello-world
$ sudo snappy-debug.security scanlog
$ sudo dpkg -i ./the kernels you mentioned*.deb
$ sudo reboot
…
$ ssh vm
$ hello-world
$ sudo hello-world
$ sudo snappy-debug.security scanlog

Everything worked with no denials. Can you provide additional details to reproduce beyond installing the kernels? Specifically, details on “after that I went on debugging my snaps” would be great.

Thanks again!

mmtrt · February 6, 2018, 5:41pm

Sorry I thought that this denial caused the problem on newer kernel but I totally misunderstood that one but real issue here was that I did not get any app-armor log for local snaps like snappy-debug.security usually shows and this could be due to snap debug confinement being partial on newer kernel rather then strict.

jdstrand · February 6, 2018, 6:44pm

You are correct that partial confinement will create policy that does not show denials in the logs for snaps. The initial report wasn’t for snaps, but for snap-confine:

apparmor="DENIED" operation="capable" profile="/snap/core/3887/usr/lib/snapd/snap-confine" pid=4873 comm="snap-confine" capability=2 capname="dac_read_search"

This is what I couldn’t reproduce.

mmtrt · February 7, 2018, 5:50am

Yeah I could not reproduce it either with kernel 4.15.0 or 4.15.1 on same machine though that denial I posted was copied from gnome log app not from snappy-debug when I was using it for app-armor log.