Kali 2021 snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

namofi · October 21, 2021, 8:05pm

Hello,

I know this issue has been discussed many times on this forum but none of the methods made it works for me. So here the info about my OS / config :

$snap --version          
snap    2.52.1
snapd   2.52.1
series  16
kali    2021.3
kernel  5.14.0-kali2-amd64

sudo apparmor_status    
apparmor module is loaded.
15 profiles are loaded.
15 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/ipsec/charon
   /usr/lib/ipsec/stroke
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
   /usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
   /usr/sbin/haveged
   /usr/sbin/ntpd
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/haveged (913) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

Both Snapd and Apparmor are enabled. I’ve tried to reinstall Snapd several times.

apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine*
apparmor_parser -r /etc/apparmor.d/*snap-confine*

Those command lines make the error disappear but create another one :

 cannot change profile for the next exec call: No such file or directory

And the change are reverted after reboot.

Does anyone know what I am missing ?

mborzecki · October 22, 2021, 6:33am

FIrst, make sure to install strace from repositories. Then run snap run --strace='--raw -s 256 -vf' <some-snap> and collect the output to some pastebin. I suspect there is a problem with apparmor itself, and writing to /proc/<pid>/attr/exec or /proc/<pid>/attr/apparmor/exec fails.

namofi · October 22, 2021, 6:52am

Here are the pastebin. I’ve ran the command line for both error :

Snap Confine : https://pastebin.com/HugsHfXe

Cannot Change Profile : https://pastebin.com/f4wLb5q0

mborzecki · October 22, 2021, 7:06am

From the first log:

openat(AT_FDCWD, "/proc/11547/attr/current", O_RDONLY) = 4
read(4, "unconfined\n", 128)            = 11

Clearly indicates that there is no apparmor profile for snap-confine in the kernel. You probably need to run systemctl enable --now apparmor.service.

Then the next log:

openat(AT_FDCWD, "/proc/11709/attr/exec", O_WRONLY) = 4
write(4, "exec snap.webstorm.webstorm", 27) = -1 ENOENT (Aucun fichier ou dossier de ce type)
close(4)                                = 0
write(2, "cannot change profile for the next exec call", 44cannot change profile for the next exec call) = 44
write(2, ": No such file or directory\n", 28: No such file or directory

You probably need to run systemctl enable --now snapd.apparmor.service

This was fixed in Sid some time ago and AFAIU the fixes were imported to Kali.

namofi · October 22, 2021, 7:11am

Thanks, it works !

I’ve done : systemctl enable --now apparmor.service many times, so I think systemctl enable --now snapd.apparmor.service did the trick.