With the candidate channel of the core snap (rev 3357), classic snaps that call other snaps (juju calling juju-wait and vice-versa, conjure-up calling lxd, etc) are failing with: cannot apply seccomp profile: Invalid argument
Is this expected due to a security profile change, or is this a bug?
$ sudo dpkg --purge snapd
$ sudo apt install snapd
$ sudo snap install lxd
lxd 2.19 from 'canonical' installed
$ sudo snap install juju-wait --classic
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ snap info core|grep installed
installed: 16-2.28.5 (3247) 87MB core
$ snap run --shell juju-wait
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ exit
$ sudo snap refresh --channel=candidate core
2017-11-08T09:54:20+01:00 INFO Waiting for restart...
core (candidate) 16-2.29.2 from 'canonical' refreshed
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ snap info core|grep installed
installed: 16-2.29.2 (3396) 87MB core
$ snap run --shell juju-wait
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
with the same outcome, i.e. I failed to reproduce this. However I noticed that we have 2.29.2 in the candidate channel now, so it might be worth re-checking if the bug goes away if you refresh to that revision.
Thanks, you are right, I can reproduce it on 16.04-64. Interestingly it only fails when run as a regular user inside the namespace. When I run “sudo lxc version” the command succeeds.
It turns out this is a combination of a re-exec bug and a new feature in snapd in 2.29.
When snap run juju-wait is called, then this sets the SNAP_DIDREXEC=1 environment. This means that inside the shell the “old” (what is installed from the deb) snap-confine is used to load the seccomp profile.However the profile for lxc is nowdas “@unrestricted” which is not a valid bpf file. But the “new” snap-confine (from the core snap) understands it (but not the old).
So two ways to fix this:
a) unset SNAP_DID_REEXEC after checking that var
b) change the .bin file to not use @unrestricted but instead use a flag file (i.e. rework the mechanism)
Thanks again for raising this and for the excellent instructions how to reproduce it! This is understood now and the following PR will fix it: https://github.com/snapcore/snapd/pull/4176 - this of course means we need a 2.29.3 release with this fix.