New htop apparmor denials

maxiberta · September 29, 2020, 12:56pm

Hi! The htop snap is seeing lots of activity lately due to the recent upstream switch; and I’m getting a number of apparently new apparmor denials, both on Ubuntu 20.04 and 18.04.

(I’m the snap packager, btw )

This happens both on stable and edge, with the usual process-control and system-observe interfaces connected:

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/1019864/smaps_rollup" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/1019864/smaps_rollup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps_rollup'

And these are found on edge (the oom ones keep looping when the OOM column is enabled):

= AppArmor =
Time: Sep 28 16:20:26
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=1019864 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/spl/kstat/zfs/arcstats (read)
Suggestion:
* adjust program to not access '@{PROC}/spl/kstat/zfs/arcstats'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8405/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/8405/oom_score (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/oom_score'

= AppArmor =
Time: Sep 28 16:21:51
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/8610/task/543313/oom_score" pid=1020539 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/8610/task/543313/oom_score (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/task/543313/oom_score'
* adjust program to not access '@{PROC}/@{pid}/task/[0-9]*/oom_score'

Maybe can we add these extra permissions to system-observe?

@{PROC}/*/{,task/*/}smaps_rollup r,
@{PROC}/*/{,task/*/}oom_score r,
@{PROC}/spl/kstat/zfs/arcstats r,

Cheers,

maxiberta · September 29, 2020, 2:48pm

Also, just noticed that the new pressure stall info (PSI) meters produce these additional denials:

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/cpu" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/cpu (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/cpu'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/io" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/io (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/io'

= AppArmor =
Time: Sep 29 11:44:29
Log: apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/pressure/memory" pid=1385219 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/pressure/memory (read)
Suggestion:
* adjust program to not access '@{PROC}/pressure/memory'

Maybe add these as well?

@{PROC}/pressure/cpu r
@{PROC}/pressure/io r
@{PROC}/pressure/memory r

maxiberta · October 15, 2020, 2:17pm

Just bumping this thread in case it was missed or forgotten

diddledani · October 15, 2020, 3:50pm

I think @jdstrand needs to poke through the security blanket for you He’ll see this post now that I mentioned him by name and will be along when he can to see what needs to be added to the interfaces.

csadorf · March 23, 2021, 4:58pm

Is there any movement on this issue? I am running into the same problem with htop version 3.0.5 installed as snap.

snap-id:      hJmReLmgXSUj4SF7WhyTVRV6IzUa4QUZ
tracking:     latest/stable
refresh-date: today at 05:30 CET
channels:
  latest/stable:    3.0.5              2021-01-28 (2184) 16MB -
  latest/candidate: 3.0.5              2021-01-28 (2184) 16MB -
  latest/beta:      ↑
  latest/edge:      3.0.5-189-g7b293dc 2021-03-22 (2470) 16MB -
installed:          3.0.5                         (2184) 16MB -

maxiberta · April 7, 2021, 1:54pm

This is still an issue with latest htop and snapd. Any ideas, suggestions, or workarounds?

ijohnson · April 8, 2021, 1:39am

I’ll have a look at adding these to system-observe

pjfasano · June 1, 2022, 12:42am

@maxiberta @ijohnson This still appears to be an issue – any updates/changes?

mborzecki · June 1, 2022, 6:14am

Sorry, this appears to have gone under our radar. I’ve opened a PR with an update to the relevant interface right here: https://github.com/snapcore/snapd/pull/11836

maxiberta · June 2, 2022, 3:10pm

This PR should fix a few extra denials: https://github.com/snapcore/snapd/pull/11840