Post-refresh hook generating a confinement warning

jenny.murphy · September 15, 2021, 12:19pm

Hi, I have a post-refresh hook in place for my snap. It generates the following strict confinement warning:

Log: apparmor=“ALLOWED” operation=“capable” info=“optional: no audit” error=-1 profile=“snap.epi-zaphost.hook.post-refresh” pid=31521 comm=“snap-exec” capability=12 capname=“net_admin”

Capability: net_admin

Suggestions:

adjust program to not require ‘CAP_NET_ADMIN’ (see ‘man 7 capabilities’)

add one of ‘bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control’ to ‘plugs’

do nothing if using systemd utility (eg, timedatectl): Managing time, date and timezone in Ubuntu Core - #44 by jdstrand

do nothing (Bug #1465724 “net_admin apparmor denial when using Go” : Bugs : Snappy)

I removed everything from my post refresh hook script but it seems just the presence of the script causes the warning. Is there a known issue here? Because the operation is ALLOWED does it mean I can ignore it?

lucyllewy · September 16, 2021, 9:08pm

I don’t have an answer right now, but it might help others who read this post for you to paste the output from:

sudo snap version
sudo snap debug confinement, and
sudo snap debug sandbox-features

These should help understand the state of your system and which OS you’re running. When pasting, add triple backtics (```) above and below the paste so that the formatting is preserved (though these particular pastes shouldn’t need that)

jenny.murphy · September 17, 2021, 11:10am

I build my snap with confinement:strict in the snapcraft.yaml file. I install my snap with --devmode and it is in this way I receive the warning. If I install my snap with --dangerous I do not receive the warning.

Here is the requested information:

**ubuntu@ubuntu**:**~/INSTALL**$ sudo snap version

snap 2.51.4

snapd 2.51.4

series 16

ubuntu 20.04

kernel 5.4.0-1042-raspi

ubuntu@ubuntu:~/INSTALL$ sudo snap debug confinement
strict

ubuntu@ubuntu:~/INSTALL$ sudo snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

ogra · September 17, 2021, 11:53am

yes, you can, you asked it to allow it when installing with the --devmode switch … if it does not produce any error without --devmode this is just some log spam from apparmors audit mode but not doing any harm.

jenny.murphy · September 17, 2021, 12:03pm

ok, good to know, thank you