Interface for reading /proc/<PID>/cpuset?

wallyworld · February 13, 2023, 11:10pm

Does an interface exist to allow read access to /proc//cpuset? Something like cpu-control but read only?

Running juju status --watch spams dmesg logs

audit: type=1400
audit(1676326743.956:1036): apparmor="DENIED" operation="open"
profile="snap.juju.juju" name="/proc/539653/cpuset" pid=539653
comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

ogra · February 14, 2023, 12:47am

What does snappy-debug from the snappy-debug snap package suggest when you run it alongside while the denial occurs ?

sdeziel · February 15, 2023, 1:33pm

snappy-debug wouldn’t produce anything but it says it monitors /var/log/syslog which is not where Apparmor denials go. Thankfully it suggested running sudo journalctl --output=short --follow --all | sudo snappy-debug and that output:

$ journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Feb 15 08:29:53
Log: apparmor="DENIED" operation="open" profile="snap.juju.juju" name="/proc/1731631/cpuset" pid=1731631 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1731631/cpuset (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cpuset'

= AppArmor =
Time: Feb 15 08:29:54
Log: apparmor="DENIED" operation="open" profile="snap.juju.juju" name="/proc/1731669/cpuset" pid=1731669 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1731669/cpuset (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cpuset'

= AppArmor =
Time: Feb 15 08:29:55
Log: apparmor="DENIED" operation="open" profile="snap.juju.juju" name="/proc/1731678/cpuset" pid=1731678 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1731678/cpuset (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cpuset'

If it’s not possible to tell juju not to access that file, I would suggest going with a rule like owner @{PROC}/@{pid}/cpuset r,

ogra · February 15, 2023, 1:57pm

@alexmurray should the above be part of cpu-control or would that add any insecurities ?

wallyworld · February 15, 2023, 8:23pm

cpu-control seems wrong here as it confers write assess I think. So what we would need is an observe type interface similar to network-observe or system-observe etc?

alexmurray · February 16, 2023, 2:12am

Hmm /proc/PID/cpuset is readable by its owner by default. Also this just displays the path within /dev/cpuset that is then required to go and interface with the cpuset of the process. As such, this feels reasonably unprivileged so perhaps should just go in the base template - we currently allow read of /proc/PID/status in the base template and this contains which CPUs are allowed as part of the CPU set etc which is of a similar nature to this info.

So I would just advocate adding the following to the base template:

  @{PROC}/@{pid}/cpuset r,

wallyworld · February 20, 2023, 9:42pm

That would be great thank you. Is there an issue we can track to see when the change might land?

alexmurray · February 21, 2023, 1:35am

There is now https://github.com/snapcore/snapd/pull/12578