Hugepages interface?

I am working on a snap that requires access to hugepages. I get the following error when I run it in jailmode or change the confinement and grade to strict/stable. Below is the error:

May 21 22:23:36 dpdk-test kernel: [ 819.269303] audit: type=1400 audit(1526941416.371:59): apparmor=“DENIED” operation=“open” profile=“snap.dpdk.testpmd” name="/sys/kernel/mm/hugepages/" pid=2964 comm=“testpmd” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

Is there a hugepages interface or is this something that I will have to create?


There is no general interface that allows manipulating hugepages. This is possibly two interfaces: hugepages-observe and hugepages-control. The former allows querying them/readonly type actions and the second allows all that plus write type actions. If you are considering implementing this yourself, I suggest looking at network-observe and network-control for inspiration. Also, if you strictly only need one and not the other, feel free to just implement the interface you need (eg, hugepages-control and not hugepages-observe) if that is easier for you.


So I created an interface (I forked snapd and have been testing, my git:
I set it up on my test machine and was able to connect my snap to the new interface and get it up and running, but when I run the command, I get the same error:

May 23 21:06:05 dpdk-test kernel: [ 1103.759127] audit: type=1400 audit(1527109565.059:57): apparmor="DENIED" operation="open" profile="snap.dpdk.testpmd" name="/sys/kernel/mm/hugepages/" pid=1830 comm="testpmd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Any pointers? My interface is just setting the “r” apparmor policy for the path.


Does ‘snap interfaces’ list hugepages-observe?

If not, you might be running into reexec issues where the snapd from the core snap is being used instead of your snapd. Often it is convenient to build the snapd deb and install it. Eg, on Ubuntu (I would do this in a chroot, but omitting that since I don’t know your dev environment):

$ apt-get update && apt-get -y upgrade
$ cd snapd.git                                                                  
$ DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage
$ sudo dpkg -i ../snapd_*.deb

If it does show up with ‘snap interfaces’, you are (correctly) using deny-auto-connection: true. Does your snap ‘plugs: [ hugepages-observe ]’ and did you connect it with: sudo snap connect dpdk:hugepages?


Yes, snap interfaces | grep huge shows the hugepages-observe interface, and after I install the snap with the plug setting for hugepages-observe I can successfully connect it with the snap connect command.


When I run my application, I get the same error like as previously mentioned.

Silly me, your rule is:

/sys/kernel/mm/hugepages/* r,

It should be:

/sys/kernel/mm/hugepages/{,*} r,

‘/sys/kernel/mm/hugepages/*’ is for files in the directory, ‘/sys/kernel/mm/hugepages/’ is for the directory itself. The above rule allows access to both.

1 Like

Thank you! That fixed that error. I get another error now, but at least I’m
heading in the right direction now.

The error now is:

May 24 17:28:02 dpdk-test kernel: [  222.222670] audit: type=1400 audit(1527182882.930:29): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=1493 comm="snap-confine" capability=2  capname="dac_read_search"
May 24 17:28:03 dpdk-test kernel: [  222.692128] audit: type=1400 audit(1527182883.398:30): apparmor="DENIED" operation="open" profile="snap.dpdk.testpmd" name="/var/lib/snapd/hostfs/mnt/huge/" pid=1493 comm="testpmd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Thank you!