Hi! The htop snap is seeing lots of activity lately due to the recent upstream switch; and I’m getting a number of apparently new apparmor denials, both on Ubuntu 20.04 and 18.04.
(I’m the snap packager, btw 
)
This happens both on stable and edge, with the usual process-control and system-observe interfaces connected:
= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/1019864/smaps_rollup" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1019864/smaps_rollup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps_rollup'
And these are found on edge (the oom ones keep looping when the OOM column is enabled):
= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/spl/kstat/zfs/arcstats (read)
Suggestion:
* adjust program to not access '@{PROC}/spl/kstat/zfs/arcstats'
= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8405/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/8405/oom_score (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/oom_score'
= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8610/task/543313/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/8610/task/543313/oom_score (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/task/543313/oom_score'
* adjust program to not access '@{PROC}/@{pid}/task/[0-9]*/oom_score'
Maybe can we add these extra permissions to system-observe?
@{PROC}/*/{,task/*/}smaps_rollup r,@{PROC}/*/{,task/*/}oom_score r,@{PROC}/spl/kstat/zfs/arcstats r,
Cheers,
2 Likes
Also, just noticed that the new pressure stall info (PSI) meters produce these additional denials:
= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/cpu" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/cpu (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/cpu'
= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/io" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/io (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/io'
= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/memory" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/memory (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/memory'
Maybe add these as well?
@{PROC}/pressure/cpu r@{PROC}/pressure/io r@{PROC}/pressure/memory r
Just bumping this thread in case it was missed or forgotten
1 Like
I think @jdstrand needs to poke through the security blanket for you He’ll see this post now that I mentioned him by name and will be along when he can to see what needs to be added to the interfaces.
Is there any movement on this issue? I am running into the same problem with htop version 3.0.5 installed as snap.
snap-id: hJmReLmgXSUj4SF7WhyTVRV6IzUa4QUZ
tracking: latest/stable
refresh-date: today at 05:30 CET
channels:
latest/stable: 3.0.5 2021-01-28 (2184) 16MB -
latest/candidate: 3.0.5 2021-01-28 (2184) 16MB -
latest/beta: ↑
latest/edge: 3.0.5-189-g7b293dc 2021-03-22 (2470) 16MB -
installed: 3.0.5 (2184) 16MB -
This is still an issue with latest htop and snapd. Any ideas, suggestions, or workarounds?
1 Like
I’ll have a look at adding these to system-observe
1 Like
@maxiberta @ijohnson This still appears to be an issue – any updates/changes?
1 Like
Sorry, this appears to have gone under our radar. I’ve opened a PR with an update to the relevant interface right here: https://github.com/snapcore/snapd/pull/11836
1 Like
