Custom kernel error on readlinkat() in mount namespace

yhrn · August 15, 2018, 9:48am

Hi,

I’m seeing this problem on Ubuntu 18.04 with kernel 4.18 and the workaround doesn’t seem to do anything for me.

> ls /etc/apparmor.d/*snap-confine*
/etc/apparmor.d/usr.lib.snapd.snap-confine.real

> tail /etc/apparmor.d/usr.lib.snapd.snap-confine.real
    # from the core snap but we are already inside the constructed mount
    # namespace. Here the apparmor kernel module re-constructs the path to
    # snap-update-ns using the "hostfs" mount entry rather than the more
    # "natural" /snap mount entry but we have no control over that.  This is
    # reported as (LP: #1716339). The variants here represent different
    # locations of snap mount directory across distributions.
    /var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core/*/usr/lib/snapd/snap-update-ns r,

    ptrace read peer=unconfined,
}

> sudo apparmor_parser -r /etc/apparmor.d/*snap-confine*

> gnome-calculator
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

> dmesg | grep DENIED         
[   28.836643] audit: type=1400 audit(1534247507.507:50): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=1759 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   29.030691] audit: type=1400 audit(1534247507.699:51): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=1892 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   29.230245] audit: type=1400 audit(1534247507.899:53): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2040 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   29.404266] audit: type=1400 audit(1534247508.075:54): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2165 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   29.665339] audit: type=1400 audit(1534247508.335:55): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2228 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   33.802955] audit: type=1400 audit(1534247512.471:56): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2670 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   39.115107] audit: type=1400 audit(1534247517.783:57): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=2958 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   41.458075] audit: type=1400 audit(1534247520.127:58): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=3020 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[   94.297198] audit: type=1400 audit(1534247572.951:59): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=3238 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9039.010150] audit: type=1400 audit(1534256517.733:64): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19462 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9058.478617] audit: type=1400 audit(1534256537.201:65): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19816 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9083.475983] audit: type=1400 audit(1534256562.197:66): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19924 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[ 9113.703202] audit: type=1400 audit(1534256592.425:67): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=19968 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10614.319740] audit: type=1400 audit(1534258093.050:70): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=21750 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10637.672492] audit: type=1400 audit(1534258116.406:71): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=21872 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[10862.835626] audit: type=1400 audit(1534258341.566:74): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22062 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[11041.500133] audit: type=1400 audit(1534258520.235:75): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22154 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[11752.936363] audit: type=1400 audit(1534259231.670:80): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=22689 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[70917.166364] audit: type=1400 audit(1534318396.649:81): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=27267 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"
[78768.839106] audit: type=1400 audit(1534326247.974:84): apparmor="DENIED" operation="ptrace" profile="/snap/core/5145/usr/lib/snapd/snap-confine" pid=30089 comm="snap-confine" requested_mask="read" denied_mask="read" peer="unconfined"

Any ideas on why it still doesn’t work?