Node.js REST API packaged as Snap errored when install from store

jperera · September 6, 2023, 11:49pm

Hello, I created an snap for simple Node.js API, I posted in a forum topic before Node.js REST API packed as Snap and you can find there a public Github repo. When I install locally created using: grade: devel confinement: devmode It worked perfect but, when installed from the store with grade stable and confinement “strict” I got this errors:

Sep 06 19:30:07 jose-XPS-13-7390 audit[75494]: AVC apparmor=“ALLOWED” operation=“sendmsg” class=“net” profile=“snap.jr-node-api.snap-hello-api” pid=75494 comm=“node” laddr=::1 lport=3000 faddr=::1 fport=47084 family=“inet6” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send” Sep 06 19:30:07 jose-XPS-13-7390 kernel: kauditd_printk_skb: 10 callbacks suppressed Sep 06 19:30:07 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043007.635:421): apparmor=“ALLOWED” operation=“file_perm” class=“net” profile=“snap.jr-node-api.snap-hello-api” pid=75494 comm=“node” laddr=::1 lport=3000 faddr=::1 fport=47084 family=“inet6” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send” Sep 06 19:30:07 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043007.635:422): apparmor=“ALLOWED” operation=“file_perm” class=“net” profile=“snap.jr-node-api.snap-hello-api” pid=75494 comm=“node” laddr=::1 lport=3000 faddr=::1 fport=47084 family=“inet6” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send” Sep 06 19:30:07 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043007.635:423): apparmor=“ALLOWED” operation=“sendmsg” class=“net” profile=“snap.jr-node-api.snap-hello-api” pid=75494 comm=“node” laddr=::1 lport=3000 faddr=::1 fport=47084 family=“inet6” sock_type=“stream” protocol=6 requested_mask=“send” denied_mask=“send” Sep 06 19:31:12 jose-XPS-13-7390 audit[76325]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” pid=76325 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.412:424): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” pid=76325 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76428]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/" pid=76428 comm=“mount” flags=“rw, remount, noatime” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.880:425): apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/" pid=76428 comm=“mount” flags=“rw, remount, noatime” Sep 06 19:31:12 jose-XPS-13-7390 audit[76494]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“lsb_release” pid=76494 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76495]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“nvidia_modprobe” pid=76495 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.924:426): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“lsb_release” pid=76494 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.924:427): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“nvidia_modprobe” pid=76495 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.924:428): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“nvidia_modprobe//kmod” pid=76495 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76495]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“nvidia_modprobe//kmod” pid=76495 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76496]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/usr/lib/snapd/snap-confine" pid=76496 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76496]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=76496 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.928:429): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/usr/lib/snapd/snap-confine" pid=76496 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.928:430): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=76496 comm=“apparmor_parser” Sep 06 19:31:12 jose-XPS-13-7390 audit[76524]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76524 comm="(networkd)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:12 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043072.972:431): apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76524 comm="(networkd)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:13 jose-XPS-13-7390 audit[76536]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76536 comm="(resolved)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:13 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043073.024:432): apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76536 comm="(resolved)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:13 jose-XPS-13-7390 audit[76590]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“snap-update-ns.snapcraft” pid=76590 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76589]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/snap/snapd/19457/usr/lib/snapd/snap-confine" pid=76589 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76589]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name="/snap/snapd/19457/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=76589 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76596]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“snap.snapcraft.hook.configure” pid=76596 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76597]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“snap.snapcraft.hook.remove” pid=76597 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76598]: AVC apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“snap.snapcraft.snapcraft” pid=76598 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043073.132:433): apparmor=“STATUS” operation=“profile_load” label=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>//&:lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_:unconfined” name=“snap-update-ns.snapcraft” pid=76590 comm=“apparmor_parser” Sep 06 19:31:13 jose-XPS-13-7390 audit[76609]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76609 comm="(d-logind)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:13 jose-XPS-13-7390 audit[76601]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/tmp/" pid=76601 comm="(crub_all)" flags=“rw, nosuid, remount, bind” Sep 06 19:31:13 jose-XPS-13-7390 audit[76622]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76622 comm="(ostnamed)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:14 jose-XPS-13-7390 audit[76922]: AVC apparmor=“DENIED” operation=“mount” class=“mount” info=“failed flags match” error=-13 profile=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” name="/run/systemd/unit-root/proc/" pid=76922 comm="(imedated)" fstype=“proc” srcname=“proc” flags=“rw, nosuid, nodev, noexec” Sep 06 19:31:48 jose-XPS-13-7390 audit[78138]: AVC apparmor=“STATUS” operation=“profile_remove” profile=“unconfined” name=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” pid=78138 comm=“apparmor_parser” Sep 06 19:31:48 jose-XPS-13-7390 kernel: kauditd_printk_skb: 9 callbacks suppressed Sep 06 19:31:48 jose-XPS-13-7390 kernel: audit: type=1400 audit(1694043108.891:443): apparmor=“STATUS” operation=“profile_remove” profile=“unconfined” name=“lxd-snapcraft_snapcraft-jr-node-api-on-amd64-for-amd64-5243707_</var/snap/lxd/common/lxd>” pid=78138 comm=“apparmor_parser”

Any idea?

jperera · September 7, 2023, 12:43am

I solved the issue:

I needed to change the package.json to match the snap name.
I added the interfaces: plugs:
- network
- network-bind

ogra · September 7, 2023, 9:46am

To make this easier the next time, install the snappy-debug snap and run the same named tool from it alongside your snapped application… it will give you interface plug suggestions for your snapcraft.yaml