Request autoconnect of account-control for MicroK8s

Hi all,

Could we please have account-control auto-connect for MicroK8s. Denials such as the following are reported in a number of operations performed. Here is is sed that needs to update a file and is given the CAP_FSETID capability.

= AppArmor =
Time: Mar 17 18:02:33
Log: apparmor="DENIED" operation="capable" profile="snap.microk8s.microk8s" pid=811763 comm="sed" capability=4  capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly

= AppArmor =
Time: Mar 17 18:02:34
Log: apparmor="DENIED" operation="capable" profile="snap.microk8s.microk8s" pid=811848 comm="sed" capability=4  capname="fsetid"
Capability: fsetid
Suggestions:
* adjust program to not require 'CAP_FSETID' (see 'man 7 capabilities')
* add one of 'account-control' to 'plugs'
* do nothing if program otherwise works properly

I was going to try and suggest that granting auto-connect of account-control seemed like too much privileges just to get capability fsetid however given microk8s is already super-privileged and currently we don’t have any better option to easily get this capability (other than perhaps adding it to some existing super-privileged interface like docker-support?) then I think this is reasonable.

+1 from me for auto-connect of account-control for microk8s (although I would be interested to know what @mvo perhaps thinks re the suggestion to either expand some existing interface with this capability OR perhaps to add a microk8s-support interface?)

I agree with Alex here, account-control is not ideal but given the alternatives probably the best option (at least for now). I feel slightly uneasy adding it to something like docker-support if it’s not strictly needed and adding microk8s-support may make sense in the long run but seems a bit much for just this one line.

So in summary +1 from me as well for auto-connect of account-control for microk8s.

+2 votes for, 0 votes against, granting auto-connect of account-control for microk8s. This is now live.

1 Like