New htop apparmor denials

Hi! The htop snap is seeing lots of activity lately due to the recent upstream switch; and I’m getting a number of apparently new apparmor denials, both on Ubuntu 20.04 and 18.04.

(I’m the snap packager, btw )

This happens both on stable and edge, with the usual process-control and system-observe interfaces connected:

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/1019864/smaps_rollup" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1019864/smaps_rollup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps_rollup'

And these are found on edge (the oom ones keep looping when the OOM column is enabled):

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/spl/kstat/zfs/arcstats (read)
Suggestion:
* adjust program to not access '@{PROC}/spl/kstat/zfs/arcstats'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8405/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/8405/oom_score (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/oom_score'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8610/task/543313/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/8610/task/543313/oom_score (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/task/543313/oom_score'
* adjust program to not access '@{PROC}/@{pid}/task/[0-9]*/oom_score'

Maybe can we add these extra permissions to system-observe?

• @{PROC}/*/{,task/*/}smaps_rollup r,
• @{PROC}/*/{,task/*/}oom_score r,
• @{PROC}/spl/kstat/zfs/arcstats r,

Cheers,

Also, just noticed that the new pressure stall info (PSI) meters produce these additional denials:

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/cpu" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/cpu (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/cpu'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/io" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/io (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/io'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/memory" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/memory (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/memory'

Maybe add these as well?

• @{PROC}/pressure/cpu r
• @{PROC}/pressure/io r
• @{PROC}/pressure/memory r

Just bumping this thread in case it was missed or forgotten

I think @jdstrand needs to poke through the security blanket for you He’ll see this post now that I mentioned him by name and will be along when he can to see what needs to be added to the interfaces.

Is there any movement on this issue? I am running into the same problem with htop version 3.0.5 installed as snap.

snap-id:      hJmReLmgXSUj4SF7WhyTVRV6IzUa4QUZ
tracking:     latest/stable
refresh-date: today at 05:30 CET
channels:
  latest/stable:    3.0.5              2021-01-28 (2184) 16MB -
  latest/candidate: 3.0.5              2021-01-28 (2184) 16MB -
  latest/beta:      ↑
  latest/edge:      3.0.5-189-g7b293dc 2021-03-22 (2470) 16MB -
installed:          3.0.5                         (2184) 16MB -

This is still an issue with latest htop and snapd. Any ideas, suggestions, or workarounds?

I’ll have a look at adding these to system-observe