Dotnet Apparmor denies (.NET Core 3, and .NET 5)

Hello.

Its seems like while the AppArmor confinement is working, dotnet has another use-case where it tries to “lock” on to those files, with the AppArmor rules only have made space for reading, not file-lock. I understand that I can modify those rules, adding the file-lock property, but that is a developer approach. Some of the logs here, will explain: (Just a sample)

Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/lo/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/dummy0/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/dummy0/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/eth0/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/eth0/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/eth1/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0
Jul 22 07:08:22 devtesting audit[4394]: AVC apparmor="DENIED" operation="file_lock" profile="snap.mysnap.main" name="/proc/sys/net/ipv4/conf/eth1/forwarding" pid=4394 comm=<strippedout> requested_mask="k" denied_mask="k" fsuid=0 ouid=0

did you try to debug it by runing snappy-debug in a second terminal while running your app from another one ? it should give interface suggestions for plugs to add to your app to solve these issues …

Hello. Seems like that every few seconds, this happens on “snappy-debug”:

Time: Jul 29 08:23:15 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/sys/net/ipv4/conf/usb0/forwarding" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/sys/net/ipv4/conf/usb0/forwarding (write) Suggestions:

  • adjust program to not access ‘@{PROC}/sys/net/ipv4/conf/usb0/forwarding’
  • adjust program to not access ‘@{PROC}/sys/net/ipv[0-9]/conf/usb[0-9]/forwarding’

= AppArmor = Time: Jul 29 08:23:15 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/sys/net/ipv4/conf/can0/forwarding" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/sys/net/ipv4/conf/can0/forwarding (write) Suggestions:

  • adjust program to not access ‘@{PROC}/sys/net/ipv4/conf/can0/forwarding’
  • adjust program to not access ‘@{PROC}/sys/net/ipv[0-9]/conf/can[0-9]/forwarding’

= AppArmor = Time: Jul 29 08:23:15 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/sys/net/ipv4/conf/wwan0/forwarding" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/sys/net/ipv4/conf/wwan0/forwarding (write) Suggestions:

  • adjust program to not access ‘@{PROC}/sys/net/ipv4/conf/wwan0/forwarding’
  • adjust program to not access ‘@{PROC}/sys/net/ipv[0-9]/conf/wwan[0-9]/forwarding’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/stat (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/status" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/status (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/status’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/cmdline" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/cmdline (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/cmdline’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/stat (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/status" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/status (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/status’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/cmdline" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/cmdline (write) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/cmdline’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11794/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11794/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11794/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11795/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11795/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11795/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11796/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11796/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11796/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11797/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11797/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11797/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11798/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11798/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11798/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11799/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11799/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11799/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11800/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11800/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11800/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11802/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11802/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11802/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11815/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11815/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11815/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11833/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11833/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11833/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11835/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11835/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11835/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/12275/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/12275/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/12275/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/12651/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/12651/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/12651/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/12779/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/12779/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/12779/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

= AppArmor = Time: Jul 29 08:23:19 Log: apparmor=“DENIED” operation=“file_lock” profile=“snap.mysnap.main” name="/proc/11794/task/11794/stat" pid=11794 comm=2E4E455420546872656164506F6F6C requested_mask=“k” denied_mask=“k” fsuid=0 ouid=0 File: /proc/11794/task/11794/stat (write) Suggestions:

  • adjust program to not access ‘@{PROC}/@{pid}/task/11794/stat’
  • adjust program to not access ‘@{PROC}/@{pid}/task/[0-9]*/stat’

Any idea on how to solve it? I think it may have to do with the embedded binaries we are trying to execute from within the confinement, and not necessarily the ‘dotnet’ binary itself.