Classic confinement request for fnotifystat

Hi, I’d like to make a classic confinement request for fnotifystat. This is a useful tool for monitoring file activity (e.g. debugging why file systems are busy).

fnotifystat request access to various per process /proc files to get command line information from /proc/*/cmdline and process name information from /proc/*/comm, pid sizes from /proc/sys/kernel/pid_max, mount information /proc/self/mounts and file description information from /proc/*/fd/*. Currently the system-observe plugin won’t cater for some of the more esoteric per-process information that the tool would like to read.

More information:
Git repo: https://github.com/ColinIanKing/fnotifystat
Project page: https://kernel.ubuntu.com/~cking/fnotifystat/

1 Like

Does fnotifystat require write access to any of the /proc files? If it’s all just read, perhaps you could try using the system-backup interface which allows read access to any file?

Afraid system-backup doesn’t work for this case.

Hi, could you be more specific about how system-backup doesn’t work for this use case? I realize it’s not really what that interface is for, but do you see any AppArmor denials when running fnotifystate with the system-backup interface connected for the snap? You can also install the snap in devmode and see audits in the system journal that were allowed that would be denied in strict mode.

Please note that the /proc (and /sys and /dev) directories are intentionally omitted from system-backup.

system-observe covers /proc/*/cmdline and /proc/*/comm.

mount-observe has owner @{PROC}/@{pid}/mounts r, - is the ‘owner’ match causing you trouble?

/proc/sys/kernel/pid_max and /proc/*/fd/* are not covered anywhere.

You mentioned more esoteric cases-- are those separate from the above? If so, can you list them?

Rather than classic, it seems we could either update snapd to handle some of the above, or you could use system-files. Eg:

plugs:
  proc:
    interface: system-files
    read:
    - /proc

I’ve taken a TODO to investigate where to put these accesses.