New htop apparmor denials

maxiberta · September 29, 2020, 12:56pm

Hi! The htop snap is seeing lots of activity lately due to the recent upstream switch; and I’m getting a number of apparently new apparmor denials, both on Ubuntu 20.04 and 18.04.

(I’m the snap packager, btw )

This happens both on stable and edge, with the usual process-control and system-observe interfaces connected:

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/1019864/smaps_rollup" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1019864/smaps_rollup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps_rollup'

And these are found on edge (the oom ones keep looping when the OOM column is enabled):

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/spl/kstat/zfs/arcstats (read)
Suggestion:
* adjust program to not access '@{PROC}/spl/kstat/zfs/arcstats'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8405/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/8405/oom_score (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/oom_score'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8610/task/543313/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/8610/task/543313/oom_score (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/task/543313/oom_score'
* adjust program to not access '@{PROC}/@{pid}/task/[0-9]*/oom_score'

Maybe can we add these extra permissions to system-observe?

@{PROC}/*/{,task/*/}smaps_rollup r,
@{PROC}/*/{,task/*/}oom_score r,
@{PROC}/spl/kstat/zfs/arcstats r,

Cheers,

maxiberta · September 29, 2020, 2:48pm

Also, just noticed that the new pressure stall info (PSI) meters produce these additional denials:

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/cpu" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/cpu (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/cpu'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/io" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/io (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/io'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/memory" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/memory (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/memory'

Maybe add these as well?

@{PROC}/pressure/cpu r
@{PROC}/pressure/io r
@{PROC}/pressure/memory r

maxiberta · October 15, 2020, 2:17pm

Just bumping this thread in case it was missed or forgotten

daniel · October 15, 2020, 3:50pm

I think @jdstrand needs to poke through the security blanket for you He’ll see this post now that I mentioned him by name and will be along when he can to see what needs to be added to the interfaces.