Suppressing AppArmor `DENIED` messages on Ubuntu Core

Hi all,

We’re looking for a way to suppress some expected DENIED messages to reduce logging load. An excerpt of a dmesg could look like:

Jan 26 21:49:39 linux audit[19931]: AVC apparmor="DENIED" operation="open" profile="snap.mir-kiosk.daemon" name="/run/udev/data/+acpi:LNXPWRBN:00" pid=19931 comm=4D69722F496E707574205265616465 requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 26 21:49:39 linux audit[19931]: AVC apparmor="DENIED" operation="open" profile="snap.mir-kiosk.daemon" name="/run/udev/data/+acpi:LNXSYBUS:00" pid=19931 comm=4D69722F496E707574205265616465 requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 26 21:49:39 linux audit[19931]: AVC apparmor="DENIED" operation="open" profile="snap.mir-kiosk.daemon" name="/run/udev/data/+acpi:LNXSYSTM:00" pid=19931 comm=4D69722F496E707574205265616465 requested_mask="r" denied_mask="r" fsuid=0 ouid=0

It’s not feasible to modify the software making those accesses, and it’s enumeration of input devices that causes those.

On Ubuntu Core, is there a (recommended?) way to suppress those denials?

1 Like

I’ll let other people jump in for a snap-compliant solution, but as a quick workaround you should be able to temporarily disable the warnings by editing the apparmor profile in /var/lib/snapd/apparmor/profiles/snap.mir-kiosk.mir-kiosk and adding this line at the end (just before the last “}”):

deny /run/udev/data/+acpi:* r,

then, ask apparmor to reload the profile:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.mir-kiosk.mir-kiosk

The next time you start the mir-kiosk, you should not see these warnings anymore (with no other behavioural changes, since the accesses are still denied). I hope that this works in Ubuntu Core too. :slight_smile:

IIRC the hardware-observe interface allows reading these nodes (at least in sysfs and proc, but /run likely only has links to either) … try adding it …

If you really do get to the point where you just don’t want any denial messages on a system, you can use /sys/module/apparmor/parameters/audit, see https://github.com/snapcore/snapd/blob/master/interfaces/builtin/log_observe.go#L56-L65

Modifying apparmor profiles is ephemeral. They will be recreated on the next refresh of the snap. So this is a developer approach only.

Well, it’s not that we want to access those… it’s just we want to suppress those denials :). Reduce the noise, is all.

That’s a nuclear option, we’d rather just suppress specific denials :slight_smile:

I think we want to eventually allow folks to specify rules which should be silenced some way, but it will take a bit of time to design and implement a solution for this. Can you file a LP bug about this? we may even already have such a bug, I don’t know

i do understand that, but today the only non-hackish way to do this on UC is to connect the interface that allows access … (and TBH i’d consider it rather a corner case that you get denials for something you do not want to actually access as well, most snaps actually want to access things they get denials for)

Well, any kind of enumeration will have this problem. But sure, that is a corner case.