Hi @alexmurray,
I’ve updated snapcraft.yml
file for strict confinement here. It seems to be working but I think it’s a bit slower than the classic confinement version. (I’ll test more)
Also, I’ve seen the following logs which may require additional work:
dmesg output:
[ 7673.324075] audit: type=1400 audit(1595368559.575:1897): apparmor="STATUS" operation="profile_load" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.afda02b0.sshfs_server" pid=32154 comm="apparmor_parser"
[ 7673.330162] audit: type=1400 audit(1595368559.583:1898): apparmor="DENIED" operation="open" profile="multipass.snapcraft-gradle.afda02b0.sshfs_server" name="/etc/ssh/ssh_config" pid=32155 comm="sshfs_server" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 7673.428358] audit: type=1400 audit(1595368559.683:1899): apparmor="STATUS" operation="profile_remove" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.afda02b0.sshfs_server" pid=32157 comm="apparmor_parser"
[ 7689.307011] audit: type=1400 audit(1595368575.559:1912): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo" pid=32418 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319583] audit: type=1400 audit(1595368575.571:1913): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319586] audit: type=1400 audit(1595368575.571:1914): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319588] audit: type=1400 audit(1595368575.571:1915): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319589] audit: type=1400 audit(1595368575.571:1916): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319590] audit: type=1400 audit(1595368575.571:1917): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319592] audit: type=1400 audit(1595368575.571:1918): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319593] audit: type=1400 audit(1595368575.571:1919): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319595] audit: type=1400 audit(1595368575.571:1920): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319608] audit: type=1400 audit(1595368575.571:1921): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 8336.806554] audit: type=1400 audit(1595369223.059:1959): apparmor="STATUS" operation="profile_remove" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.qemu-system-x86_64" pid=925 comm="apparmor_parser"
[ 8337.000054] audit: type=1400 audit(1595369223.251:1962): apparmor="STATUS" operation="profile_load" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.qemu-system-x86_64" pid=1004 comm="apparmor_parser"
some additional logs from snappy-debug:
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo" pid=31060 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'
= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'
= Seccomp =
Time: Jul 22 00:42:00
Log: auid=987201431 uid=987201431 gid=987200513 ses=3 pid=31117 comm=6A6172207472616E73666F726D7320 exe="/snap/gradle/x7/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" sig=0 arch=c000003e 93(fchown) compat=0 ip=0x7f4c7e252527 code=0x50000
Syscall: fchown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'
= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'