Trouble mounting tmpfs from snap

jrtomps · May 15, 2023, 11:16am

Hello,

I am trying to mount a tmpfs from within my snap. Ideally, this would occur during the install hook. For development purposes, the snap just provides a simple script that calls mount. I would like to mount the directory with read/write permissions at $SNAP_COMMON/.

So far, I have been unsuccessful. I am curious if anyone has any ideas as to why. The failure seems to be due to an apparmor policy. The mount command is correct as I can run it as sudo outside of my snap without any issues. The error at the terminal is:

mount: /var/snap/snapa/common/mymount: tmpfs is write-protected but explicit read-write mode requested.

In the systemd journal, I find that the following audit logs exist:

May 15 07:10:47 jtompkins-virtual-machine audit[669957]: AVC apparmor="DENIED" operation="capable" class="cap" profile="snap.snapa.domount" pid=669957 comm="do_mount" capability=2  capname="dac_read_search"
May 15 07:10:47 jtompkins-virtual-machine audit[669995]: AVC apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap.snapa.domount" name="/var/snap/snapa/common/mymount/" pid=669995 comm="mount" fstype="tmpfs" srcname="tmpfs"

My snapcraft.yaml is as follows (minus some of the package description information):

...
plugs:
  mntctl:
    interface: mount-control
    auto-connection: true 
    mount:
      - what: none
        where: $SNAP_COMMON/mymount
        options: [rw]
        type: [tmpfs]

apps:
  domount:
    command: bin/do_mount
    plugs: [ home, mntctl ]

hooks:
  configure:
    plugs: [mntctl]
  install:
    plugs: [mntctl]

parts:
  do-mount-part:
    plugin: dump
    source: .
    organize:
      do_mount: bin/do_mount
...

My do_mount script is very simple:

#!/bin/bash

MOUNT_POINT="$(snapctl get mount.point)"

EXISTENCE_STRING="DOES NOT EXIST"
if [ $(snapctl is-connected mntctl) ] ; then
    EXISTENCE_STRING="EXISTS"
fi
echo "Connection to mount-control $EXISTENCE_STRING"

if [ ! -d "$MOUNT_POINT" ] ; then
    echo "Creating $MOUNT_POINT"
    mkdir -p "$MOUNT_POINT"
    chmod 775 "$MOUNT_POINT"
fi      

mount -t tmpfs -v -o size=10M,mode=0775 -w tmpfs $MOUNT_POINT

Finally, I have a simple default-configuration hook that looks like the following:

#!/bin/bash

snapctl set mount.point="$SNAP_COMMON/mymount"

This error is occurring after manually connecting my snapa:mntctl plug to the :mount-control slot. Running snap connections snapa shows that they are indeed connected.

Thank you in advance.

jrtomps · May 15, 2023, 3:27pm

After digging into the apparmor profile found at /var/lib/snapd/apparmor/profiles/snap.snapa.domount, I learned that the problem was not the snapcraft.yaml configuration but the invocation of the mount command in my do_mount script. In the definition of the mntctl plug in my snapcraft.yaml , the what key of the mount-control interface is forced to be “none” for tmpfs type mounts. It turns out that that finds its way directly into the apparmor profile. The invocation of a tmpfs mount must then specify “none” as the device. For example:

mount -t tmpfs -o size=10M,mode=0775 -w none /var/snap/snapa/common/mymount

Once I swapped in the “none” to replace the “tmpfs” in the do_mount script, it worked.