Epoll works on core20 but fails on core22+

paddor · December 19, 2024, 10:53am

I have a textbased core20 app that uses epoll. When upgrading to core22, it builds and installs, but during startup it gets an EPERM (Operation not permitted) error. According to strace it’s this call:

epoll_ctl(4, EPOLL_CTL_ADD, 8, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3901425000, u64=133603154134376}}) = -1 EPERM (Operation not permitted)

Is there a specific interface/plug I need to plug so epoll works?

snap version prints:

snap    2.66.1+22.04
snapd   2.66.1+22.04
series  16
ubuntu  22.04
kernel  6.5.0-41-lowlatency

Minimal reproduction: GitHub - paddor/async-issue-360

mborzecki1 · December 19, 2024, 11:16am

Anything interesting in dmesg? Both AppArmor and seccom should log a message when syscall is denied.

paddor · December 19, 2024, 11:18am

Actually yes. /var/log/syslog would have lines like these:

Dec 18 14:30:21 xxx-dev-2022 systemd[6169]: Started snap.async-issue-360.async-issue-360-3b5f7460-8d14-4e54-a23c-47060dde08f8.scope.
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375484] kauditd_printk_skb: 1 callbacks suppressed
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375487] audit: type=1326 audit(1734528621.679:3103): auid=1000 uid=1000 gid=1000 ses=6 subj=snap.async-issue-360.async-issue-360 pid=2725419 comm="ruby" exe="/snap/async-issue-360/x13/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x72af23530fa1 code=0x50000

I don’t know what these mean though.

mborzecki1 · December 19, 2024, 11:22am

Looks like the app is using epoll_pwait2, which isn’t allowed in the base seccomp template:

$ scmp_sys_resolver 441
epoll_pwait2

I’ll open a PR to snapd to get the template updated.

paddor · December 19, 2024, 11:24am

That sounds very promising. Thank you.

mborzecki1 · December 19, 2024, 1:13pm

I’ve opened a PR with an update to the template: interfaces/seccomp/template: allow epoll_pwait2 in the base template by bboozzoo · Pull Request #14885 · canonical/snapd · GitHub

paddor · January 16, 2025, 2:48pm

Thanks. It looks like it got merged and released in 2.67.0. But I’m still getting the same error. It’s still the same syscall.

Jan 16 15:41:01 ubuntu-dev-2022 kernel: [  120.342094] audit: type=1326 audit(1737038461.211:131): auid=1000 uid=1000 gid=1000 ses=2 subj=snap.my-protocol-simulator.my-protocol-simulator pid=7285 comm="ruby" exe="/snap/my-protocol-simulator/x121/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x7649d91a8c37 code=0x50000

Snapd version:

$ snap list snapd
Name   Version  Rev    Tracking       Publisher   Notes
snapd  2.67     23545  latest/stable  canonical✓  snapd

mborzecki1 · January 16, 2025, 2:50pm

It only landed in time for 2.67.1. For the time being, you can refresh snapd from edge channel. 2.67.1 should become available in beta/candidate next week.

paddor · January 16, 2025, 2:54pm

Thanks a lot. sudo snap refresh --edge snapd actually helped.

paddor · January 16, 2025, 3:17pm

Just curious: Will this fix also apply to snaps using core24?

mborzecki1 · January 16, 2025, 3:20pm

Yes. The change was added to the template, which is used as a starting point for generating seccomp profile for any given snap.