Seccomp error calling snap from another (classic) snap on core candidate

cory_fu · November 7, 2017, 11:35pm

With the candidate channel of the core snap (rev 3357), classic snaps that call other snaps (juju calling juju-wait and vice-versa, conjure-up calling lxd, etc) are failing with: cannot apply seccomp profile: Invalid argument

Is this expected due to a security profile change, or is this a bug?

Full test:

[johnsca@murdoch:~] -:- $ which lxc
/snap/bin/lxc
[johnsca@murdoch:~] -:- $ lxc version
2.19
[johnsca@murdoch:~] -:- $ snap info core
name:      core
summary:   snapd runtime environment
publisher: canonical
contact:   snappy-canonical-storeaccount@canonical.com
description: |
  The core runtime environment for snapd
type:        core
snap-id:     99T7MUlRhtI3U0QFgl5mXXESAiSwt776
tracking:    stable
installed:   16-2.28.5 (3247) 87MB core
refreshed:   2017-10-16 08:49:58 -0400 EDT
channels:
  stable:    16-2.28.5 (3247) 87MB -
  candidate: 16-2.29   (3357) 87MB -
  beta:      16-2.29.2 (3396) 87MB -
  edge:      16-2.29.2 (3417) 87MB -
[johnsca@murdoch:~] -:- $ snap run --shell juju-wait
[johnsca@murdoch:~] -:- $ which lxc
/snap/bin/lxc
[johnsca@murdoch:~] -:- $ lxc version
2.19
[johnsca@murdoch:~] -:- $ exit
[johnsca@murdoch:~] -:- 5s $ snap switch --channel=candidate core && snap refresh core
"core" switched to the "candidate" channel
core (candidate) 16-2.29 from 'canonical' refreshed
[johnsca@murdoch:~] -:- 6s 1 $ snap info core
name:      core
summary:   snapd runtime environment
publisher: canonical
contact:   snappy-canonical-storeaccount@canonical.com
description: |
  The core runtime environment for snapd
type:        core
snap-id:     99T7MUlRhtI3U0QFgl5mXXESAiSwt776
tracking:    candidate
installed:   16-2.29 (3357) 87MB core
refreshed:   2017-10-30 14:50:43 -0400 EDT
channels:
  stable:    16-2.28.5 (3247) 87MB -
  candidate: 16-2.29   (3357) 87MB -
  beta:      16-2.29.2 (3396) 87MB -
  edge:      16-2.29.2 (3417) 87MB -

[johnsca@murdoch:~] -:- 11s $ snap run --shell juju-wait
[johnsca@murdoch:~] -:- $ which lxc
/snap/bin/lxc
[johnsca@murdoch:~] -:- $ lxc version
cannot apply seccomp profile: Invalid argument
[johnsca@murdoch:~] -:- 1 $ exit

mvo · November 8, 2017, 8:52am

Thanks for your problem report. I just tried to reproduce it on my 2.29.2 system but things work for me:

$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ snap info core|grep installed
installed:   16-2.29.2 (3396) 87MB core
$ snap run --shell juju-wait
$ which lxc
/snap/bin/lxc
$ lxc version
2.19

However this was while already on a 2.29.2 system. I will try to refresh from stable to candidate now.

mvo · November 8, 2017, 8:58am

I just tried it again, doing:

$ sudo dpkg --purge snapd
$  sudo apt install snapd
$ sudo snap install lxd
lxd 2.19 from 'canonical' installed
$ sudo snap install juju-wait --classic
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ snap info core|grep installed
installed:   16-2.28.5 (3247) 87MB core
$ snap run --shell juju-wait
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ exit
$ sudo snap refresh --channel=candidate core
2017-11-08T09:54:20+01:00 INFO Waiting for restart...
core (candidate) 16-2.29.2 from 'canonical' refreshed
$ which lxc
/snap/bin/lxc
$ lxc version
2.19
$ snap info core|grep installed
installed:   16-2.29.2 (3396) 87MB core
$ snap run --shell juju-wait
$ which lxc
/snap/bin/lxc
$  lxc version
2.19

with the same outcome, i.e. I failed to reproduce this. However I noticed that we have 2.29.2 in the candidate channel now, so it might be worth re-checking if the bug goes away if you refresh to that revision.

galgalesh · November 8, 2017, 10:34am

The bug is still present with the latest revision of the core snap, but I can’t reproduce it either on my Ubuntu 17.10.

Might this be something 14.04/16.04-specific?

galgalesh · November 8, 2017, 12:06pm

Yep, just tested it on a 14.04 virtual machine, I can reproduce the issue.

osboxes@osboxes:~$ sudo snap refresh --channel=candidate core
[sudo] password for osboxes: 
core (candidate) 16-2.29.2 from 'canonical' refreshed
osboxes@osboxes:~$ snap info core|grep installed
installed:   16-2.29.2 (3396) 87MB core
osboxes@osboxes:~$ snap run --shell juju-wait
osboxes@osboxes:~$ which lxc
/snap/bin/lxc
osboxes@osboxes:~$ lxc version
cannot apply seccomp profile: Invalid argument

mvo · November 8, 2017, 2:31pm

Thanks, you are right, I can reproduce it on 16.04-64. Interestingly it only fails when run as a regular user inside the namespace. When I run “sudo lxc version” the command succeeds.

mvo · November 8, 2017, 3:05pm

It turns out this is a combination of a re-exec bug and a new feature in snapd in 2.29.

When snap run juju-wait is called, then this sets the SNAP_DIDREXEC=1 environment. This means that inside the shell the “old” (what is installed from the deb) snap-confine is used to load the seccomp profile.However the profile for lxc is nowdas “@unrestricted” which is not a valid bpf file. But the “new” snap-confine (from the core snap) understands it (but not the old).

So two ways to fix this:
a) unset SNAP_DID_REEXEC after checking that var
b) change the .bin file to not use @unrestricted but instead use a flag file (i.e. rework the mechanism)

mvo · November 8, 2017, 4:37pm

Thanks again for raising this and for the excellent instructions how to reproduce it! This is understood now and the following PR will fix it: https://github.com/snapcore/snapd/pull/4176 - this of course means we need a 2.29.3 release with this fix.

cory_fu · November 9, 2017, 9:31pm

Just checking in to confirm that 2.29.3 (beta, snap 3440) seems to have fixed this. Thanks!

mvo · November 10, 2017, 1:13pm

Thanks for testing and confirming the fix!