I’ve been trying to get strict confinement working on my system (Debian bullseye/sid, under WSL 2, with systemd-genie), and I’m running into an AppArmor issue in which any snap that requires socket access doesn’t get it.
To fill in system details:
❯ snap version snap 2.49~rc1
snapd 2.49~rc1
series 16
debian bullseye
kernel 5.4.91-20210129-microsoft-custom-wsl2+
❯ snap debug confinement strict
❯ snap debug connectivity Connectivity status:
* PASS
❯ snap debug sandbox-features apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
The kernel in question is a custom build that has had the requisite apparmor networking patches added to it.
I’ll use doctl
as my test snap, as about the simplest network-requiring snap I use regularly, but equivalent errors show up with every other network-using snap I’ve tried:
❯ doctl balance get
Error: Get "https://api.digitalocean.com/v2/customers/my/balance": dial tcp: lookup api.digitalocean.com on 127.0.0.53:53: dial udp 127.0.0.53:53: socket: permission denied
[1] 145329 exit 1 doctl balance get
With the following log entries:
[86705.562009] audit: type=1400 audit(1612038518.385:3854): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145874 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[86705.573877] audit: type=1400 audit(1612038518.385:3855): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145874 comm="getent" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
[86706.237211] audit: type=1400 audit(1612038519.057:3856): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.250706] audit: type=1400 audit(1612038519.057:3857): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.267949] audit: type=1400 audit(1612038519.057:3858): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.283209] audit: type=1400 audit(1612038519.057:3859): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.295765] audit: type=1400 audit(1612038519.057:3860): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.308722] audit: type=1400 audit(1612038519.057:3861): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.321486] audit: type=1400 audit(1612038519.057:3862): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[86706.334507] audit: type=1400 audit(1612038519.057:3863): apparmor="DENIED" operation="create" profile="snap.doctl.doctl" pid=145877 comm="doctl.real" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
Any thoughts on what might be wrong or where I might go from here to debug it would be much appreciated!