Interface approval for ncdu snap

kz6fittycent · October 30, 2020, 2:44pm

As far as what the snap is reporting, not much - see screenshot.

Screenshot%20from%202020-10-30%2009-33-55

Here are my apparmor entries for ncdu when I tried to peer into my zfs pool:

cat syslog | grep ncdu
Oct 30 09:32:17 metroplex kernel: [839002.748990] audit: type=1400 audit(1604068337.582:292): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.ncdu" pid=646495 comm="apparmor_parser"
Oct 30 09:32:17 metroplex kernel: [839002.840791] audit: type=1400 audit(1604068337.674:293): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.ncdu.ncdu" pid=646496 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.397516] audit: type=1400 audit(1604068338.230:296): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646510 comm="apparmor_parser"
Oct 30 09:32:18 metroplex kernel: [839003.402667] audit: type=1400 audit(1604068338.234:297): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646512 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.936308] audit: type=1400 audit(1604068368.770:304): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646702 comm="apparmor_parser"
Oct 30 09:32:48 metroplex kernel: [839033.940902] audit: type=1400 audit(1604068368.774:305): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646704 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.831465] audit: type=1400 audit(1604068377.662:316): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.ncdu.ncdu" pid=646764 comm="apparmor_parser"
Oct 30 09:32:57 metroplex kernel: [839042.835859] audit: type=1400 audit(1604068377.670:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.ncdu" pid=646767 comm="apparmor_parser"
Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138843] audit: type=1400 audit(1604068397.969:320): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/bus/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138846] audit: type=1400 audit(1604068397.969:321): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/irq/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138848] audit: type=1400 audit(1604068397.969:322): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/spl/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138859] audit: type=1400 audit(1604068397.969:323): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/sys/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138886] audit: type=1400 audit(1604068397.969:324): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/tty/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138896] audit: type=1400 audit(1604068397.969:325): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/acpi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138923] audit: type=1400 audit(1604068397.969:326): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/scsi/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138954] audit: type=1400 audit(1604068397.969:327): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/asound/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 30 09:33:17 metroplex kernel: [839063.138970] audit: type=1400 audit(1604068397.969:328): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/driver/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I included everything associated with ncdu so you can see the when/where it gets DENIED. Which is right here:

Oct 30 09:33:17 metroplex kernel: [839063.138836] audit: type=1400 audit(1604068397.969:319): apparmor="DENIED" operation="open" profile="snap.ncdu.ncdu" name="/proc/fs/" pid=646768 comm="ncdu" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Running sudo ncdu renders the same result.

The only thing I’m seeing in terms of denials - based on limited use - is viewing zfs pools. I can see everything else. I’m sure a user out there will find something else I’ve missed.