[apparmor] [Bug 2049099] Re: AppArmor blocking snap install nested in LXD container

John Johansen Sun, 28 Jan 2024 01:06:05 -0800

So this is a tough one. The denied messages are due to a difference in
running the application in the container vs. running it on a host.


Certain files are being passed into the container from a separate
namespace and the profile is not setup to deal with this. Unfortunately
this is not currently handled well, there is work to improve both
mapping and delegation around this but atm the only solution at this
point is for the snap profile to be given the permissions necessary to
work under both environments. Despite LXD setting up an apparmor policy
namespace the container environment is not entirely transparent to the
apparmor policy within the container.

So without having looked at 24.04 my guess is that either LXD changed
something in the environment setup or that snap's profile has been
updated.

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2049099

Title:
  AppArmor blocking snap install nested in LXD container

Status in snapd:
  New

Bug description:
  ##### Context
  I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju 
uses a snap inside an LXD container, and so needs the system to support nested 
AppArmor profiles. `juju-db` is the snap in question, if that helps.

  ##### Issue
  When I try to do this, I get a bunch of AppArmor violations, that go way over 
my head. It's not clear to me what is causing these, but I **suspect** that 
Ubuntu patches some host-system AppArmor profiles to support this use-case, 
that isn't replicated on other OSs? Not sure, and I don't know who to ask or 
where to look.

  If any additional information is needed I'd be more than happy to
  provide.

  ###### `snappy-debug` journalctl logs
  [  411.702391] loop11: detected capacity change from 0 to 33408
  [  411.882088] audit: type=1400 audit(1704822630.613:257): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="snap-update-ns.snappy-debug" pid=8545 comm="apparmor_parser"
  [  411.927376] audit: type=1400 audit(1704822630.659:258): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap.snappy-debug.scanlog" 
pid=8548 comm="apparmor_parser"
  [  411.927408] audit: type=1400 audit(1704822630.659:259): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="snap.snappy-debug.audit-arch" pid=8546 comm="apparmor_parser"
  [  411.927511] audit: type=1400 audit(1704822630.659:260): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap.snappy-debug.security" 
pid=8550 comm="apparmor_parser"
  [  411.927592] audit: type=1400 audit(1704822630.659:261): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="snap.snappy-debug.snappy-debug" pid=8551 comm="apparmor_parser"
  [  411.927637] audit: type=1400 audit(1704822630.659:262): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap.snappy-debug.id-range" 
pid=8547 comm="apparmor_parser"
  [  411.928038] audit: type=1400 audit(1704822630.659:263): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="snap.snappy-debug.scmp-sys-resolver" pid=8549 comm="apparmor_parser"
  [  412.245557] audit: type=1400 audit(1704822630.976:264): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" 
name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=8573 
comm="apparmor_parser"
  [  412.245562] audit: type=1400 audit(1704822630.976:265): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" 
name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
 pid=8573 comm="apparmor_parser"
  [  412.251680] audit: type=1400 audit(1704822630.983:266): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="snap-update-ns.snappy-debug" pid=8575 comm="apparmor_parser"
  [  436.594532] audit: type=1400 audit(1704822655.326:273): apparmor="DENIED" 
operation="open" class="file" profile="snap.juju.juju" 
name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" 
pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  [  436.955742] audit: type=1400 audit(1704822655.686:274): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0"
 pid=8915 comm="apparmor_parser"
  [  437.001597] audit: type=1400 audit(1704822655.733:275): apparmor="STATUS" 
operation="profile_remove" profile="unconfined" 
name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0"
 pid=8920 comm="apparmor_parser"
  [  437.047127] audit: type=1400 audit(1704822655.779:276): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs"
 pid=8924 comm="apparmor_parser"
  [  438.662197] audit: type=1400 audit(1704822657.393:277): apparmor="STATUS" 
operation="profile_remove" profile="unconfined" 
name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs"
 pid=8947 comm="apparmor_parser"
  [  438.726353] lxdbr0: port 1(vethe8cdef92) entered blocking state
  [  438.726357] lxdbr0: port 1(vethe8cdef92) entered disabled state
  [  438.726363] vethe8cdef92: entered allmulticast mode
  [  438.726404] vethe8cdef92: entered promiscuous mode
  [  438.836408] audit: type=1400 audit(1704822657.566:278): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>" pid=9022 
comm="apparmor_parser"
  [  438.936964] physF3pxUH: renamed from vethd8d1dfa0
  [  438.967393] eth0: renamed from physF3pxUH
  [  438.983981] lxdbr0: port 1(vethe8cdef92) entered blocking state
  [  438.983985] lxdbr0: port 1(vethe8cdef92) entered forwarding state
  [  439.220648] NOHZ tick-stop error: local softirq work is pending, handler 
#200!!!
  [  439.262605] audit: type=1400 audit(1704822657.993:279): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="nvidia_modprobe" pid=9151 comm="apparmor_parser"
  [  439.262990] audit: type=1400 audit(1704822657.993:280): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="lsb_release" pid=9150 comm="apparmor_parser"
  [  439.263026] audit: type=1400 audit(1704822657.993:281): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="nvidia_modprobe//kmod" pid=9151 comm="apparmor_parser"
  [  439.271998] audit: type=1400 audit(1704822658.003:282): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="tcpdump" pid=9154 comm="apparmor_parser"
  [  439.275799] audit: type=1400 audit(1704822658.006:283): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/bin/man" pid=9153 comm="apparmor_parser"
  [  439.275958] audit: type=1400 audit(1704822658.006:284): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="man_filter" pid=9153 comm="apparmor_parser"
  [  439.276194] audit: type=1400 audit(1704822658.006:285): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="man_groff" pid=9153 comm="apparmor_parser"
  [  439.325135] audit: type=1400 audit(1704822658.056:286): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=9152 
comm="apparmor_parser"
  [  439.325403] audit: type=1400 audit(1704822658.056:287): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=9152 comm="apparmor_parser"
  [  439.325644] audit: type=1400 audit(1704822658.056:288): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/connman/scripts/dhclient-script" pid=9152 comm="apparmor_parser"
  [  439.326140] audit: type=1400 audit(1704822658.056:289): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/{,usr/}sbin/dhclient" pid=9152 comm="apparmor_parser"
  [  439.356289] audit: type=1400 audit(1704822658.086:290): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/snapd/snap-confine" pid=9155 comm="apparmor_parser"
  [  439.356526] audit: type=1400 audit(1704822658.086:291): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9155 
comm="apparmor_parser"
  [  439.531185] audit: type=1400 audit(1704822658.263:292): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap-update-ns.lxd" pid=9178 comm="apparmor_parser"
  [  439.593477] audit: type=1400 audit(1704822658.319:293): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9177 
comm="apparmor_parser"
  [  439.593486] audit: type=1400 audit(1704822658.319:294): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 
name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
 pid=9177 comm="apparmor_parser"
  [  439.594919] audit: type=1400 audit(1704822658.326:295): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.activate" pid=9179 comm="apparmor_parser"
  [  439.609341] audit: type=1400 audit(1704822658.339:296): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.install" pid=9185 comm="apparmor_parser"
  [  439.617405] audit: type=1400 audit(1704822658.349:297): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.benchmark" pid=9180 comm="apparmor_parser"
  [  439.621261] audit: type=1400 audit(1704822658.353:298): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.remove" pid=9186 comm="apparmor_parser"
  [  439.625205] audit: type=1400 audit(1704822658.356:299): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.buginfo" pid=9181 comm="apparmor_parser"
  [  439.625267] audit: type=1400 audit(1704822658.356:300): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.check-kernel" pid=9182 comm="apparmor_parser"
  [  439.625861] audit: type=1400 audit(1704822658.356:301): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc-to-lxd" pid=9188 comm="apparmor_parser"
  [  439.626255] audit: type=1400 audit(1704822658.356:302): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.migrate" pid=9190 comm="apparmor_parser"
  [  439.626606] audit: type=1400 audit(1704822658.356:303): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc" pid=9187 comm="apparmor_parser"
  [  439.627179] audit: type=1400 audit(1704822658.359:304): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxd" pid=9189 comm="apparmor_parser"
  [  439.639671] audit: type=1400 audit(1704822658.369:305): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.configure" pid=9184 comm="apparmor_parser"
  [  439.642412] audit: type=1400 audit(1704822658.373:306): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.daemon" pid=9183 comm="apparmor_parser"
  [  439.645081] audit: type=1400 audit(1704822658.376:307): apparmor="STATUS" 
operation="profile_load" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.user-daemon" pid=9191 comm="apparmor_parser"
  [  439.713482] NOHZ tick-stop error: local softirq work is pending, handler 
#200!!!
  [  441.714898] audit: type=1400 audit(1704822660.446:308): apparmor="STATUS" 
operation="profile_replace" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9421 
comm="apparmor_parser"
  [  441.756809] audit: type=1400 audit(1704822660.489:309): apparmor="STATUS" 
operation="profile_replace" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 
name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
 pid=9421 comm="apparmor_parser"
  [  441.760434] audit: type=1400 audit(1704822660.493:310): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap-update-ns.lxd" pid=9423 comm="apparmor_parser"
  [  441.762440] audit: type=1400 audit(1704822660.493:311): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.activate" pid=9424 comm="apparmor_parser"
  [  441.762939] audit: type=1400 audit(1704822660.493:312): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.benchmark" pid=9425 comm="apparmor_parser"
  [  441.763142] audit: type=1400 audit(1704822660.493:313): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.buginfo" pid=9426 comm="apparmor_parser"
  [  441.763213] audit: type=1400 audit(1704822660.493:314): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.remove" pid=9431 comm="apparmor_parser"
  [  441.763364] audit: type=1400 audit(1704822660.493:315): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.check-kernel" pid=9427 comm="apparmor_parser"
  [  441.763491] audit: type=1400 audit(1704822660.496:316): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.install" pid=9430 comm="apparmor_parser"
  [  441.763665] audit: type=1400 audit(1704822660.496:317): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc-to-lxd" pid=9433 comm="apparmor_parser"
  [  441.763688] audit: type=1400 audit(1704822660.496:318): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxd" pid=9434 comm="apparmor_parser"
  [  441.763742] audit: type=1400 audit(1704822660.496:319): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.migrate" pid=9435 comm="apparmor_parser"
  [  441.763869] audit: type=1400 audit(1704822660.496:320): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc" pid=9432 comm="apparmor_parser"
  [  441.764036] audit: type=1400 audit(1704822660.496:321): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.configure" pid=9429 comm="apparmor_parser"
  [  441.764117] audit: type=1400 audit(1704822660.496:322): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.daemon" pid=9428 comm="apparmor_parser"
  [  441.764418] audit: type=1400 audit(1704822660.496:323): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.user-daemon" pid=9436 comm="apparmor_parser"
  [  442.313495] audit: type=1400 audit(1704822661.046:324): apparmor="DENIED" 
operation="file_inherit" class="net" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 
comm="snap-confine" family="netlink" sock_type="raw" protocol=15 
requested_mask="send receive" denied_mask="send receive"
  [  442.323720] audit: type=1400 audit(1704822661.056:325): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" 
requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  [  442.477442] audit: type=1400 audit(1704822661.209:326): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 
comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  [  442.884305] audit: type=1400 audit(1704822661.616:327): apparmor="DENIED" 
operation="file_inherit" class="net" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 
comm="snap-confine" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive"
  [  442.884311] audit: type=1400 audit(1704822661.616:328): apparmor="DENIED" 
operation="file_inherit" class="net" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 
comm="snap-confine" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive"
  [  442.886474] audit: type=1400 audit(1704822661.616:329): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" 
requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  [  442.886479] audit: type=1400 audit(1704822661.616:330): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" 
requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  [  442.897436] audit: type=1400 audit(1704822661.629:331): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" 
pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 
ouid=0
  [  442.897439] audit: type=1400 audit(1704822661.629:332): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" 
pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 
ouid=0
  [  442.926817] NOHZ tick-stop error: local softirq work is pending, handler 
#200!!!
  [  442.976813] NOHZ tick-stop error: local softirq work is pending, handler 
#200!!!
  [  443.263929] audit: type=1400 audit(1704822661.996:333): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9602 
comm="apparmor_parser"
  [  443.263934] audit: type=1400 audit(1704822661.996:334): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 
name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
 pid=9602 comm="apparmor_parser"
  [  443.267568] audit: type=1400 audit(1704822661.999:335): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap-update-ns.lxd" pid=9604 comm="apparmor_parser"
  [  443.270731] audit: type=1400 audit(1704822662.003:336): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.activate" pid=9605 comm="apparmor_parser"
  [  443.270893] audit: type=1400 audit(1704822662.003:337): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.buginfo" pid=9607 comm="apparmor_parser"
  [  443.271121] audit: type=1400 audit(1704822662.003:338): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.benchmark" pid=9606 comm="apparmor_parser"
  [  443.271208] audit: type=1400 audit(1704822662.003:339): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.install" pid=9611 comm="apparmor_parser"
  [  443.271319] audit: type=1400 audit(1704822662.003:340): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.check-
  kernel" pid=9608 comm="apparmor_parser"
  [  443.271426] audit: type=1400 audit(1704822662.003:341): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.remove" pid=9612 comm="apparmor_parser"
  [  443.271595] audit: type=1400 audit(1704822662.003:342): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc" pid=9613 comm="apparmor_parser"
  [  443.271815] audit: type=1400 audit(1704822662.003:343): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxc-to-lxd" pid=9614 comm="apparmor_parser"
  [  443.271827] audit: type=1400 audit(1704822662.003:344): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.lxd" pid=9615 comm="apparmor_parser"
  [  443.271901] audit: type=1400 audit(1704822662.003:345): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.migrate" pid=9616 comm="apparmor_parser"
  [  443.271915] audit: type=1400 audit(1704822662.003:346): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.daemon" pid=9609 comm="apparmor_parser"
  [  443.272098] audit: type=1400 audit(1704822662.003:347): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.hook.configure" pid=9610 comm="apparmor_parser"
  [  443.272532] audit: type=1400 audit(1704822662.003:348): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="snap.lxd.user-daemon" pid=9617 comm="apparmor_parser"
  [  445.556120] audit: type=1400 audit(1704822664.286:349): apparmor="STATUS" 
operation="profile_replace" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/snapd/snap-confine" pid=9767 comm="apparmor_parser"
  [  445.570529] audit: type=1400 audit(1704822664.303:350): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined"
 name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9767 
comm="apparmor_parser"

  ##### A rough grab from dmesg
  ~ ❯ sudo journalctl --output=short --follow --all | sudo snappy-debug

  kernel.printk_ratelimit = 0
  = AppArmor =
  Time: Jan 09 17:50:55
  Log: apparmor="DENIED" operation="open" class="file" profile="snap.juju.juju" 
name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" 
pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  File: /var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem 
(read)
  Suggestions:
  * adjust program to read necessary files from $SNAP, $SNAP_DATA, 
$SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
  * adjust snap to use snap layouts 
(https://forum.snapcraft.io/t/snap-layouts/7207)

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="net" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 
comm="snap-confine" family="netlink" sock_type="raw" protocol=15 
requested_mask="send receive" denied_mask="send receive"
  Suggestion:
  * add one of 'account-control, hardware-observe, kernel-crypto-api, 
network-control, network-observe, raw-input, unity7, x11' to 'plugs'

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" 
requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  File: /apparmor/.null (write)
  Suggestion:
  * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or 
$SNAP_USER_COMMON

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 
comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  File: /apparmor/.null (write)
  Suggestion:
  * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or 
$SNAP_USER_COMMON

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="net" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 
comm="snap-confine" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive"

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" 
requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
  File: /apparmor/.null (write)
  Suggestion:
  * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or 
$SNAP_USER_COMMON

  = AppArmor =
  Time: Jan 09 17:51:01
  Log: apparmor="DENIED" operation="file_inherit" class="file" 
namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" 
profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" 
pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 
ouid=0
  File: /apparmor/.null (write)
  Suggestion:
  * adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or 
$SNAP_USER_COMMON

  ##### Snapd installed using -
  https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd

  ##### `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3

  ##### `usr.lib.snapd.snap-confine` default on Arch, in case it's useful
  https://pastebin.com/M5t6gySa

  ##### Reproduce Steps
  Assuming you're running on a vanilla (minimal tweaking) Arch machine with 
AppArmor enabled:

  ```bash
  cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
  makepkg -si
  sudo systemctl enable --now snapd.socket

  # log-out, log-in

  sudo snap install lxd --channel latest/edge
  lxd init --auto

  sudo snap install juju --channel 3.3/stable

  juju bootstrap localhost lh --debug --bootstrap-timeout=180

  # check snappy-debug or dmesg for AppArmor denials
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2049099/+subscriptions

[apparmor] [Bug 2049099] Re: AppArmor blocking snap install nested in LXD container

Reply via email to