Snap no longer has write permission

davecj · February 11, 2021, 9:00am

Hi
I’m trying to update the Node-RED snap to use nodejs14 - but when it runs the same code as under node10 we get a write permissions error

11 Feb 08:55:59 - [warn] Error saving flows: EPERM: operation not permitted, copyfile '/root/snap/node-red/671/flows.json' -> '/root/snap/node-red/671/.flows.json.backup'

11 Feb 08:55:59 - [warn] Error: EPERM: operation not permitted, copyfile '/root/snap/node-red/671/flows.json' -> '/root/snap/node-red/671/.flows.json.backup'

The node10 version is in the node-red stable channel and the node14 version is in beta channel. The env var SNAP_USER_DATA=/root/snap/node-red/671 is set so why can the snap running as root no longer write to it’s own directory ?

repo is here if it helps - https://github.com/dceejay/nodered.snap

mborzecki · February 11, 2021, 9:24am

Interesting. Can you attach the last 100 lines of dmes when the problem happens? Also which version of snapd is the system running (the output of snap version) and what is the output of snap debug sandbox-features

Given how the error message is worded, I suspect it’s using something like uv_fs_copyfile which tries copy_file_range under the hood, where the latter is not allowed in the seccomp template.

davecj · February 11, 2021, 9:33am

Hi,

snap version
snap    2.48.3+20.04
snapd   2.48.3+20.04
series  16
ubuntu  20.04
kernel  5.4.0-65-generic

snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

by dmes do you mean dmesg ?

[   39.946396] kauditd_printk_skb: 21 callbacks suppressed
[   39.946399] audit: type=1400 audit(1613035828.412:33): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.node-red" pid=1342 comm="apparmor_parser"
[   40.113441] audit: type=1400 audit(1613035828.582:34): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.node-red.desktop-launch" pid=1343 comm="apparmor_parser"
[   40.132140] audit: type=1400 audit(1613035828.602:35): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.node-red.npm" pid=1345 comm="apparmor_parser"
[   40.136908] audit: type=1400 audit(1613035828.606:36): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.node-red.node-red" pid=1344 comm="apparmor_parser"
[   42.841780] audit: type=1400 audit(1613035831.342:37): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/11036/usr/lib/snapd/snap-confine" pid=1410 comm="apparmor_parser"
[   42.841793] audit: type=1400 audit(1613035831.342:38): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/11036/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1410 comm="apparmor_parser"
[   42.872969] audit: type=1400 audit(1613035831.371:39): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.node-red" pid=1412 comm="apparmor_parser"
[   43.139175] audit: type=1400 audit(1613035831.641:40): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.node-red.node-red" pid=1414 comm="apparmor_parser"
[   43.147434] audit: type=1400 audit(1613035831.649:41): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.node-red.npm" pid=1415 comm="apparmor_parser"
[   43.177002] audit: type=1400 audit(1613035831.682:42): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.node-red.desktop-launch" pid=1413 comm="apparmor_parser"
[  137.464683] audit: type=1326 audit(1613035926.046:43): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1445 comm="node" exe="/snap/node-red/671/bin/node" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f9b7acc6639 code=0x50000
[  139.686392] audit: type=1326 audit(1613035928.266:44): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1445 comm="node" exe="/snap/node-red/671/bin/node" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f9b7acc6639 code=0x50000

mborzecki · February 11, 2021, 9:42am

Thanks, as I suspected:

[  139.686392] ... comm="node" exe="/snap/node-red/671/bin/node"
    syscall=326

When resolved:

$ scmp_sys_resolver 326
copy_file_range

I’ll prepare a PR with a fix. In the meantime, you try to reinstall the snap in devmode. or patch the profile manually by editing /var/lib/snapd/seccomp/bfp/snap.node-red.node-red.src adding copy_file_range and then compile it by calling sudo /usr/lib/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bfp/snap.node-red.node-red.{src,bin}.

davecj · February 11, 2021, 9:47am

err - not sure what that means… I use online snapcraft tool to build everything.
How long will it take for patch to filter through to there ?
(not a desperate problem as node10 in stable is ok for a while yet)

EDIT - aha - yes found them under …/bpf/… and yes now works locally - Thanks. Will wait for snapcraft fix before updating stable.

mborzecki · February 11, 2021, 9:55am

The PR with the fix is up: interfaces/seccomp: allow copy_file_range by default by bboozzoo · Pull Request #9926 · canonical/snapd · GitHub cc @alexmurray

Once it lands, it should be available in snapd edge the following day at the latest. We have just released 2.49, but there will likely be 2.49.1 and I’ll make sure that it includes the fix too.

davecj · February 11, 2021, 10:00am

OK - many thanks for the speedy resolution.

Aswin · February 14, 2021, 6:58pm

@mborzecki I am also facing the same issue once I changed confinement to strict from devmode.And its a custom node-red snap. As you pointed out I was checking the logs and saw the same syscall.

[13613.009389] audit: type=1326 audit(1613327523.042:11612): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=27448 comm=“node” exe="/snap/xxxxx-node-red/x1/xxxxx-node-red/bin/node" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f0924231639 code=0x50000

Any idea when the fix would land in the ubuntu 18.04 repos ?

ogra · February 14, 2021, 7:20pm

it actually seems to have landed as:

so the snapd in the edge channel should have it, just switch to it with

sudo snap refresh --edge snapd

and you should have the feature available for testing …