Classic confinement request for fnotifystat

cking · March 25, 2020, 11:37am

Hi, I’d like to make a classic confinement request for fnotifystat. This is a useful tool for monitoring file activity (e.g. debugging why file systems are busy).

fnotifystat request access to various per process /proc files to get command line information from /proc/*/cmdline and process name information from /proc/*/comm, pid sizes from /proc/sys/kernel/pid_max, mount information /proc/self/mounts and file description information from /proc/*/fd/*. Currently the system-observe plugin won’t cater for some of the more esoteric per-process information that the tool would like to read.

More information:
Git repo: https://github.com/ColinIanKing/fnotifystat
Project page: https://kernel.ubuntu.com/~cking/fnotifystat/

ijohnson · March 25, 2020, 5:26pm

Does fnotifystat require write access to any of the /proc files? If it’s all just read, perhaps you could try using the system-backup interface which allows read access to any file?

cking · March 25, 2020, 7:50pm

Afraid system-backup doesn’t work for this case.

ijohnson · March 25, 2020, 9:25pm

Hi, could you be more specific about how system-backup doesn’t work for this use case? I realize it’s not really what that interface is for, but do you see any AppArmor denials when running fnotifystate with the system-backup interface connected for the snap? You can also install the snap in devmode and see audits in the system journal that were allowed that would be denied in strict mode.

jdstrand · March 30, 2020, 9:02pm

Please note that the /proc (and /sys and /dev) directories are intentionally omitted from system-backup.

jdstrand · March 30, 2020, 9:12pm

system-observe covers /proc/*/cmdline and /proc/*/comm.

mount-observe has owner @{PROC}/@{pid}/mounts r, - is the ‘owner’ match causing you trouble?

/proc/sys/kernel/pid_max and /proc/*/fd/* are not covered anywhere.

You mentioned more esoteric cases-- are those separate from the above? If so, can you list them?

Rather than classic, it seems we could either update snapd to handle some of the above, or you could use system-files. Eg:

plugs:
  proc:
    interface: system-files
    read:
    - /proc

I’ve taken a TODO to investigate where to put these accesses.

jdstrand · April 15, 2020, 3:27pm

@cking - fyi, recent changes to 2.43.3 should address some of the accesses you need. Can you try it and respond to my last comment?

jdstrand · May 18, 2020, 7:30pm

@cking - ping, this request cannot proceed without the requested information.

alexmurray · June 1, 2020, 7:13am

@cking I am removing this request from our queue but will re-add it if you can provide the requested information.