Epoll works on core20 but fails on core22+

I have a textbased core20 app that uses epoll. When upgrading to core22, it builds and installs, but during startup it gets an EPERM (Operation not permitted) error. According to strace it’s this call:

epoll_ctl(4, EPOLL_CTL_ADD, 8, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3901425000, u64=133603154134376}}) = -1 EPERM (Operation not permitted)

Is there a specific interface/plug I need to plug so epoll works?

snap version prints:

snap    2.66.1+22.04
snapd   2.66.1+22.04
series  16
ubuntu  22.04
kernel  6.5.0-41-lowlatency

Minimal reproduction: GitHub - paddor/async-issue-360

Anything interesting in dmesg? Both AppArmor and seccom should log a message when syscall is denied.

Actually yes. /var/log/syslog would have lines like these:

Dec 18 14:30:21 xxx-dev-2022 systemd[6169]: Started snap.async-issue-360.async-issue-360-3b5f7460-8d14-4e54-a23c-47060dde08f8.scope.
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375484] kauditd_printk_skb: 1 callbacks suppressed
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375487] audit: type=1326 audit(1734528621.679:3103): auid=1000 uid=1000 gid=1000 ses=6 subj=snap.async-issue-360.async-issue-360 pid=2725419 comm="ruby" exe="/snap/async-issue-360/x13/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x72af23530fa1 code=0x50000

I don’t know what these mean though.

Looks like the app is using epoll_pwait2, which isn’t allowed in the base seccomp template:

$ scmp_sys_resolver 441
epoll_pwait2

I’ll open a PR to snapd to get the template updated.

That sounds very promising. Thank you.

I’ve opened a PR with an update to the template: interfaces/seccomp/template: allow epoll_pwait2 in the base template by bboozzoo · Pull Request #14885 · canonical/snapd · GitHub

Thanks. It looks like it got merged and released in 2.67.0. But I’m still getting the same error. It’s still the same syscall.

Jan 16 15:41:01 ubuntu-dev-2022 kernel: [  120.342094] audit: type=1326 audit(1737038461.211:131): auid=1000 uid=1000 gid=1000 ses=2 subj=snap.my-protocol-simulator.my-protocol-simulator pid=7285 comm="ruby" exe="/snap/my-protocol-simulator/x121/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x7649d91a8c37 code=0x50000

Snapd version:

$ snap list snapd
Name   Version  Rev    Tracking       Publisher   Notes
snapd  2.67     23545  latest/stable  canonical✓  snapd

It only landed in time for 2.67.1. For the time being, you can refresh snapd from edge channel. 2.67.1 should become available in beta/candidate next week.

Thanks a lot. sudo snap refresh --edge snapd actually helped.

Just curious: Will this fix also apply to snaps using core24?

Yes. The change was added to the template, which is used as a starting point for generating seccomp profile for any given snap.