Ubuntu Core 16.04 on Dell Edge GW - Apparmor denial of read of files is /sys/fs/cgroup/

jamarti001 · March 29, 2019, 8:44pm

I have not been able to find the required interface plug of system-files read setup to allow snap to run clean of the following:

= AppArmor =
Time: Mar 29 15:43:46
Log: apparmor=“DENIED” operation=“open” profile=“snap.niagara.niagarad-service” name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" pid=17914 comm=“niagarad” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us (read)
Suggestion:

adjust program to not access ‘/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us’

= AppArmor =
Time: Mar 29 15:43:46
Log: apparmor=“DENIED” operation=“open” profile=“snap.niagara.niagarad-service” name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" pid=17914 comm=“niagarad” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us (read)
Suggestion:

adjust program to not access ‘/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us’

= AppArmor =
Time: Mar 29 15:43:46
Log: apparmor=“DENIED” operation=“open” profile=“snap.niagara.niagarad-service” name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" pid=17914 comm=“niagarad” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/cpu.shares (read)
Suggestion:

adjust program to not access ‘/sys/fs/cgroup/cpu,cpuacct/cpu.shares’

zyga-snapd · March 30, 2019, 9:38am

Hello

There are no interfaces, at this time, that give access to cgroups. Can you please tell us more about what kind of interactions with cgroups are required by niagarad?

jenny.murphy · September 7, 2021, 10:32am

Any update on this, I currently get the following warning regarding the memory.use_hierarchy.

Log: apparmor=“DENIED” operation=“open” profile=“snap.epi-gateway.main” name="/sys/fs/cgroup/memory/memory.use_hierarchy" pid=19979 comm=“java” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0

File: /sys/fs/cgroup/memory/memory.use_hierarchy (read)

Suggestion:

adjust program to not access ‘/sys/fs/cgroup/memory/memory.use_hierarchy’

mborzecki · September 7, 2021, 12:33pm

There is still no generic interface allowing reading of cgroup data. Can you share details on the specific interaction with cgroups your program needs?

jenny.murphy · September 7, 2021, 12:39pm

OK. I have not pinpointed exactly what part of my program needs this. I get the warning once on startup only. My program is a Java program which uses an underlying Preferences library.

jenny.murphy · September 15, 2021, 10:06am

@mborzecki
I have looked into this. The warning doesn’t come from anything I am specifically doing in the application program. The warning is generated when java runs (but before my application main() gets to run). So java runtime environment is causing the confinement warning.
Any ideas for a workaround/solution?