LXD issue due to snap-confine apparmor profile

dabeegmon · February 28, 2018, 1:59pm

So what do I do to figure out what the issue is?

zyga-snapd · February 28, 2018, 2:50pm

Does the error go away when you run apparmor_parser -r /etc/apparmor.d/*snap-confine*?

dabeegmon · February 28, 2018, 3:15pm

Doesn’t appear to:
root@debianserver:/# apparmor_parser -r /etc/apparmor.d/snap-confine
AppArmor parser error for /etc/apparmor.d/snap.core.4144.usr.lib.snapd.snap-confine in /etc/apparmor.d/snap.core.4144.usr.lib.snapd.snap-confine at line 11: Could not open ‘/var/lib/snapd/apparmor/snap-confine.d’
Warning from /etc/apparmor.d/usr.lib.snapd.snap-confine (/etc/apparmor.d/usr.lib.snapd.snap-confine line 362): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.

It is this level of warning that has me considering my problem to be a security issue contrary to the assertions by ‘niemeyer’ (as posted earlier).

zyga-snapd · February 28, 2018, 3:25pm

This is not a security issue because the kernel in Debian doesn’t have the required features so we’re not using them anyway. What is going on is that for whatever reason something is triggering while it shouldn’t.

Can you please create the directory /var/lib/snapd/apparmor/snap-confine.d and re-run the apparmor_parser comand.

dabeegmon · February 28, 2018, 3:29pm

root@debianserver:/# apparmor_parser -r /etc/apparmor.d/snap-confine
Warning from /etc/apparmor.d/usr.lib.snapd.snap-confine (/etc/apparmor.d/usr.lib.snapd.snap-confine line 362): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.

zyga-snapd · February 28, 2018, 3:29pm

Cool, does it make snaps work now?

dabeegmon · February 28, 2018, 3:32pm

Seems to have as now I can issue commands as ‘user’ and get results from lxd which I was not able to before.
Thank you!

So what was changed?
Why did it need to be changed?
Are there any other implications for my system security due to these changes?

zyga-snapd · February 28, 2018, 3:55pm

What changed is that we manually loaded apparmor profiles for the privileged snap-confine program that is a part of the snapd sandbox toolchain. Normally those are loaded by the apparmor startup script.

I don’t know why they are not loaded on your system, maybe you disabled the apparmor job? (what does systemctl status apparmor say?).

The security implication is that your system may have gotten a little bit more secure over default because:

by default apparmor is not enabled on debian stable
snapd detects that and disables all apparmor processing

Still this is not perfect security in any sense, 4.9 is too old and doesn’t contain many of the important patches for apparmor features that are available in later kernels.

dabeegmon · February 28, 2018, 5:33pm

root@debianserver:/# systemctl status apparmor
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2018-02-07 17:45:03 CST; 2 weeks 6 days ago
Docs: man:apparmor(7)
http://wiki.apparmor.net/
Main PID: 1553 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CPU: 0
CGroup: /system.slice/apparmor.service

Feb 07 17:45:01 debianserver systemd[1]: Starting AppArmor initialization…
Feb 07 17:45:03 debianserver apparmor[1553]: Starting AppArmor profiles:Warning from /etc/apparmor.d/usr.lib.snapd.snap-confine (/etc/apparmor.d/usr.lib.snapd.snap-confine line 362): Unc
Feb 07 17:45:03 debianserver apparmor[1553]: .
Feb 07 17:45:03 debianserver systemd[1]: Started AppArmor initialization.
Feb 24 17:23:20 debianserver systemd[1]: apparmor.service: Cannot add dependency job, ignoring: Unit apparmor.service is masked.

Would be quite interested in comments re: what the above actually means. I get that start date was x and on another date something was not done.

Perfect security - - - in life, probability and security there is no such thing as 0 or 100%. The closer one gets to any of these extremes the more difficult the next level is - - - and the increase in difficulty is at best geometric - - - linear doesn’t even function here.

Re. 4.9 being an old kernel - - - I have gotten burned trying to chase software updates, Firefox to me is a notorious example and as there still doesn’t seem to be any consensus as to a fairly good solution (at the very least!!!) for the hardware issues on Intel chips (and others also affected) I’ve been waiting. I don’t really enjoy spending days or even weeks of time trying to correct goofy computer issues caused by me trying risky things - - - one of the reasons this package is on debian ‘stable’ although my main box is on ‘testing’.

I do very much appreciate the explanations as they help develop a framework of understanding - - - so even if I don’t know what goes into the frame - - - I have some idea how the frame is to function.

zyga-snapd · February 28, 2018, 9:27pm

Hmm

Does stuff work if you reboot your machine now? I think that it … might but you have to do the experiment.

dabeegmon · March 10, 2018, 10:04pm

Sorry - - - things were responding as they were supposed to and I hadn’t seen your question but - - - thank you things are working (I didn’t use a reboot)

Thanks for the assistance.