Hi! The htop snap
is seeing lots of activity lately due to the recent upstream switch; and I’m getting a number of apparently new apparmor denials, both on Ubuntu 20.04 and 18.04.
(I’m the snap packager, btw )
This happens both on stable
and edge
, with the usual process-control
and system-observe
interfaces connected:
= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/1019864/smaps_rollup" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1019864/smaps_rollup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps_rollup'
And these are found on edge
(the oom ones keep looping when the OOM column is enabled):
= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/spl/kstat/zfs/arcstats (read)
Suggestion:
* adjust program to not access '@{PROC}/spl/kstat/zfs/arcstats'
= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8405/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/8405/oom_score (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/oom_score'
= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8610/task/543313/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/8610/task/543313/oom_score (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/task/543313/oom_score'
* adjust program to not access '@{PROC}/@{pid}/task/[0-9]*/oom_score'
Maybe can we add these extra permissions to system-observe
?
@{PROC}/*/{,task/*/}smaps_rollup r,
@{PROC}/*/{,task/*/}oom_score r,
@{PROC}/spl/kstat/zfs/arcstats r,
Cheers,