Network not available to snaps

cerebrate · January 30, 2021, 8:32pm

I’ve been trying to get strict confinement working on my system (Debian bullseye/sid, under WSL 2, with systemd-genie), and I’m running into an AppArmor issue in which any snap that requires socket access doesn’t get it.

To fill in system details:

❯ snap version                                                                                                                                                                   snap    2.49~rc1
snapd   2.49~rc1
series  16
debian  bullseye
kernel  5.4.91-20210129-microsoft-custom-wsl2+

❯ snap debug confinement                                                                                                                                                         strict

❯ snap debug connectivity                                                                                                                                                        Connectivity status:
 * PASS

❯ snap debug sandbox-features                                                                                                                                                    apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

The kernel in question is a custom build that has had the requisite apparmor networking patches added to it.

I’ll use doctl as my test snap, as about the simplest network-requiring snap I use regularly, but equivalent errors show up with every other network-using snap I’ve tried:

❯ doctl balance get                                                                                                                                                              
Error: Get "https://api.digitalocean.com/v2/customers/my/balance": dial tcp: lookup api.digitalocean.com on 127.0.0.53:53: dial udp 127.0.0.53:53: socket: permission denied
[1]    145329 exit 1     doctl balance get

With the following log entries:

[86705.562009] audit: type=1400 audit(1612038518.385:3854): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145874 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[86705.573877] audit: type=1400 audit(1612038518.385:3855): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145874 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[86706.237211] audit: type=1400 audit(1612038519.057:3856): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.250706] audit: type=1400 audit(1612038519.057:3857): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.267949] audit: type=1400 audit(1612038519.057:3858): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.283209] audit: type=1400 audit(1612038519.057:3859): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.295765] audit: type=1400 audit(1612038519.057:3860): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.308722] audit: type=1400 audit(1612038519.057:3861): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.321486] audit: type=1400 audit(1612038519.057:3862): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.334507] audit: type=1400 audit(1612038519.057:3863): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"

Any thoughts on what might be wrong or where I might go from here to debug it would be much appreciated!

ijohnson · January 4, 2022, 8:49pm

A post was split to a new topic: Raw socket access