paddor
December 19, 2024, 10:53am
1
I have a textbased core20
app that uses epoll. When upgrading to core22
, it builds and installs, but during startup it gets an EPERM (Operation not permitted) error. According to strace
it’s this call:
epoll_ctl(4, EPOLL_CTL_ADD, 8, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=3901425000, u64=133603154134376}}) = -1 EPERM (Operation not permitted)
Is there a specific interface/plug I need to plug so epoll works?
snap version
prints:
snap 2.66.1+22.04
snapd 2.66.1+22.04
series 16
ubuntu 22.04
kernel 6.5.0-41-lowlatency
Minimal reproduction: GitHub - paddor/async-issue-360
Anything interesting in dmesg? Both AppArmor and seccom should log a message when syscall is denied.
paddor
December 19, 2024, 11:18am
3
Actually yes. /var/log/syslog
would have lines like these:
Dec 18 14:30:21 xxx-dev-2022 systemd[6169]: Started snap.async-issue-360.async-issue-360-3b5f7460-8d14-4e54-a23c-47060dde08f8.scope.
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375484] kauditd_printk_skb: 1 callbacks suppressed
Dec 18 14:30:21 xxx-dev-2022 kernel: [627262.375487] audit: type=1326 audit(1734528621.679:3103): auid=1000 uid=1000 gid=1000 ses=6 subj=snap.async-issue-360.async-issue-360 pid=2725419 comm="ruby" exe="/snap/async-issue-360/x13/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x72af23530fa1 code=0x50000
I don’t know what these mean though.
Looks like the app is using epoll_pwait2, which isn’t allowed in the base seccomp template:
$ scmp_sys_resolver 441
epoll_pwait2
I’ll open a PR to snapd to get the template updated.
paddor
December 19, 2024, 11:24am
5
That sounds very promising. Thank you.
paddor
January 16, 2025, 2:48pm
7
Thanks. It looks like it got merged and released in 2.67.0. But I’m still getting the same error. It’s still the same syscall.
Jan 16 15:41:01 ubuntu-dev-2022 kernel: [ 120.342094] audit: type=1326 audit(1737038461.211:131): auid=1000 uid=1000 gid=1000 ses=2 subj=snap.my-protocol-simulator.my-protocol-simulator pid=7285 comm="ruby" exe="/snap/my-protocol-simulator/x121/usr/bin/ruby" sig=0 arch=c000003e syscall=441 compat=0 ip=0x7649d91a8c37 code=0x50000
Snapd version:
$ snap list snapd
Name Version Rev Tracking Publisher Notes
snapd 2.67 23545 latest/stable canonical✓ snapd
It only landed in time for 2.67.1. For the time being, you can refresh snapd from edge channel. 2.67.1 should become available in beta/candidate next week.
paddor
January 16, 2025, 2:54pm
9
Thanks a lot. sudo snap refresh --edge snapd
actually helped.
paddor
January 16, 2025, 3:17pm
10
Just curious: Will this fix also apply to snaps using core24
?
Yes. The change was added to the template, which is used as a starting point for generating seccomp profile for any given snap.