Hi all
I’ve been working some more on the parca-agent
snap. Given that it’s inspecting the system at such a low level (using eBPF for CPU process tracing, etc.) I’m beginning to wonder if classic confinement might be a better way to go?
While the eBPF functionality is there, and broadly the agent seems to work, I get a lot of messages in the journal complaining:
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/snappy-debug/598/usr/bin/python3.6" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/snappy-debug/598/usr/bin/python3.6 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/parca/297/parca" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/parca/297/parca (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/microk8s/4055/kubelite" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/microk8s/4055/kubelite (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/parca/297/parca" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/parca/297/parca (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/microk8s/4055/kubelite" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/microk8s/4055/kubelite (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/snappy-debug/598/usr/bin/python3.6" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/snappy-debug/598/usr/bin/python3.6 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/parca/297/parca" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/parca/297/parca (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/microk8s/4055/kubelite" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/microk8s/4055/kubelite (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/parca/297/parca" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/parca/297/parca (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Oct 05 14:47:16
Log: apparmor="DENIED" operation="open" profile="snap.parca-agent.parca-agent-svc" name="/snap/microk8s/4055/bin/k8s-dqlite" pid=1796859 comm="parca-agent" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /snap/microk8s/4055/bin/k8s-dqlite (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
This is where the agent is trying to access the binaries/libs that it’s profiled, and I don’t know I could ever come up with a sufficiently broad interface to capture that, as it’ll change from system to system? I note that other snaps with a similar purpose (like telegraf
) are classic, and wonder if perhaps that’s the way to go?
The agent also tries to execute systemctl
on startup to get a list of active systemd units to make it’s reporting more accurate, which can be seen in the logs for the agent:
2022-10-05T14:45:07+01:00 parca-agent.parca-agent-svc[1796859]: level=warn name=parca-agent ts=2022-10-05T13:45:07.223014524Z caller=discovery_manager.go:221 msg="unable to start provider" provider=systemd/0 error="failed to list units: fork/exec /usr/bin/systemctl: permission denied"
Interested in any thoughts on this?
Many thanks!
Jon