/run/mount/utab under strict confinemet

federico · March 17, 2021, 2:21pm

Hi, I’m trying to run an application under strict confinement

When running it I got an error for “/etc/fstab” but I solved it creating a dummy fstab and adding a layout like this:

/etc/fstab:
bind-file: $SNAP/etc/fstab

Now I have the same problem with /run/mount/utab:

apparmor=“DENIED” operation=“open” profile=“snap.sublime-text.sublime-text” name="/etc/fstab" pid=129758 comm=“sublime_text” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
apparmor=“DENIED” operation=“open” profile=“snap.sublime-text.sublime-text” name="/run/mount/utab" pid=129758 comm=“sublime_text” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

How can I create a private utab file for the snap ? As I cannot create a bind-file layout on /run (error when doing this is “layout “/run/mount/utab” defines a new top-level directory “/run””)

Thanks!

ogra · March 17, 2021, 2:49pm

i think the mount-observe interface might help here …

federico · March 17, 2021, 3:26pm

Using mount-observe gives the same error and closes:

apparmor=“DENIED” operation=“open” profile=“snap.sublime-text.sublime-text” name="/run/mount/utab" pid=168521 comm=“sublime_text” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

ogra · March 17, 2021, 3:31pm

ah, sorry, i was wrong it is in udisks2

github.com

snapcore/snapd/blob/master/interfaces/builtin/udisks2.go#L103


umount /{,run/}media/**,
# This should probably be patched to use $SNAP_DATA/run/...
/run/udisks2/{,**} rw,
# udisksd execs mount/umount to do the actual operations
/bin/mount ixr,
/bin/umount ixr,
# mount/umount (via libmount) track some mount info in these files
/run/mount/utab* wrlk,
# Udisks2 needs to read the raw device for partition information. These rules
# give raw read access to the system disks and therefore the entire system.
/dev/sd* r,
/dev/mmcblk* r,
/dev/vd* r,
# Needed for probing raw devices
capability sys_rawio,
`

mount-observe gives read access to /etc/fstab though

federico · March 17, 2021, 3:37pm

Is there something else I can try or implement and test ?

The udisks2 interface gives access to the entire system:

Udisks2 needs to read the raw device for partition information. These rules

give raw read access to the system disks and therefore the entire system.

/dev/sd* r,
/dev/mmcblk* r,
/dev/vd* r,

ogra · March 17, 2021, 3:39pm

i dont think there is any other way …

federico · March 17, 2021, 5:07pm

Hi, I added and connected mount-observe and udisks2 but I still get the same error:

server:~/snapcrafters/sublime-text$ sudo snap connections sublime-text
Interface      Plug                        Slot                            Notes
dbus           -                           sublime-text:dbus-sublime-text  -
desktop        sublime-text:desktop        :desktop                        -
mount-observe  sublime-text:mount-observe  :mount-observe                  manual
udisks2        sublime-text:udisks2        :udisks2                        manual
x11            sublime-text:x11            :x11                            -

audit[195692]: AVC apparmor=“DENIED” operation=“open” profile=“snap.sublime-text.sublime-text” name="/run/mount/utab" pid=195692 comm=“sublime_text” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
kernel: audit: type=1400 audit(1616000706.650:88434): apparmor=“DENIED” operation=“open” profile=“snap.sublime-text.sublime-text” name="/run/mount/utab" pid=195692 comm=“sublime_text” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

federico · March 17, 2021, 6:48pm

I’m looking at the file in /var/lib/snapd/apparmor/profiles/snap.sublime-text.sublime-text and I don’t find any mention to /run/mount/utab as show on udisks2 interface code after connecting the interface!