So while I don't think we are where snapd can get rid of the snap-
confine.internal snippets, with it now vendoring a more recent apparmor,
a lot of these can drop away. It doesn't need to detect capabilities
anymore.
It can just specify
deny capability perfmon,
and it will work, for all
@neigin: yes the capability to resolve this exists. So now it is a matter of
getting it functioning in snapd for these cases. This will get resolved I just
can't say when it will land.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
If this every going to be resolved? I'm tired of seeing these apparmor
DENIED messages in my syslog.
[Wed May 1 10:33:40 2024] audit: type=1400 audit(1714577621.012:30):
apparmor="DENIED" operation="capable" class="cap"
profile="/snap/snapd/21465/usr/lib/snapd/snap-confine" pid=6126
The fsetid is actually quite old (at least 3 years; there may have been
a Trello card for it). At one point it came in and I did analysis and
tweaked the order of the priv dropping in snap-confine to get rid of it.
Then some stuff was added to snap-confine and it came back. I always had
it as a
Thanks for the heads up @jdstrand - I am seeing this too - I also have
one more - fsetid:
$ journalctl -b0 -t audit --grep DENIED.*snap-confine
Apr 06 08:48:06 graphene audit[3733]: AVC apparmor="DENIED" operation="capable"
profile="/usr/lib/snapd/snap-confine" pid=3733 comm="snap-confine"
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: snapd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1967884
Title:
** Summary changed:
- several snap-confine denials for capability net_admin on 22.04
+ several snap-confine denials for capability net_admin and perfmon on 22.04
** Description changed:
I recently upgraded to 22.04 and started seeing denials like:
- Apr 5 08:57:39 localhost kernel: [
