Core snap modifications for chromium snap on debian jessie needed?!?

snapd
1

Hi,

after manual backport some packages i’ve managed to get snapd working on my
older debian jessie. Version used is snapd_2.45.1ubuntu0.2.

But when i try to start the chromium snap i got some apparmor errors in
journal log.

Aug 17 15:08:14 Client kernel: audit: type=1400 audit(1597669694.124:369):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libncurses.so.5.9" pid=31160 comm=“snap-
device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:08:14 Client kernel: audit: type=1400 audit(1597669694.124:370):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libncurses.so.5.9" pid=31160 comm=“snap-
device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

When i add the libncurses to /var/lib/snapd/apparmor/profiles/snap-
confine.core.9804 i got following messages… but chromium starts and is
running.

Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.712:238):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/proc/meminfo" pid=30467 comm=“snap-device-hel”
requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.712:239):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30467
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.712:240):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30467
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.712:241):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/proc/meminfo" pid=30468 comm=“snap-device-hel”
requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:242):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30468
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:243):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30468
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:244):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/proc/meminfo" pid=30469 comm=“snap-device-hel”
requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:245):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30469
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:246):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/lib/x86_64-linux-gnu/libnss_compat-2.19.so" pid=30469
comm=“snap-device-hel” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 17 15:06:56 Client kernel: audit: type=1400 audit(1597669616.716:247):
apparmor=“DENIED” operation=“open” profile="/snap/core/9804/usr/lib/snapd/snap-
confine" name="/proc/meminfo" pid=30470 comm=“snap-device-hel”
requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

So i added some more modifications to get rid of this messages.

— /home/ghost/snap-confine.core.9804.orig 2020-08-17 15:03:23.208288366
+0200
+++ /var/lib/snapd/apparmor/profiles/snap-confine.core.9804 2020-08-11
14:04:36.403048610 +0200
@@ -43,6 +43,13 @@

 /snap/core/9804/usr/lib/snapd/snap-confine mr,

  • Additional changes

  • /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncurses{,-[0-9]}.so mr,
  • /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnsl{,-[0-9]}.so mr,
  • /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_compat{,-[0-9]}.so mr,
  • /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_nis{,-[0-9]}.so mr,
  • /proc/meminfo r,
  • /dev/null rw,
    /dev/full rw,
    /dev/zero rw,

Please can you add this changes to the core snap? I don’t know why this is not
needed on ubuntu distribution… but it looks not wrong to me.

Problem is, this modifications aren’t persistent. I’ve need to do the changes on every snap update again. So a persistent solution would be great.

I haven’t found any other way except to patch the snap-confine-core apparmor
rules.
Do you know a different way?

Thank you very much!

2

We definitely need to look into these new accesses, but for a more persistent workaround, you should be able to create a file in /var/lib/snapd/apparmor/snap-confine/ with your rules and they will be included by the snap-confine profile. Eg (untested):

$ cat /var/lib/snapd/apparmor/snap-confine/jessie
    # Additional changes
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncurses{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnsl{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_compat{,-[0-9]*}.so* mr,
    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_nis{,-[0-9]*}.so* mr,
    /proc/meminfo r,

(be sure to reload the policy after making the changes like you did before).

3

Thank you!

It works.