AppArmor

[regression?] 3.1.5 DENIES bind mounts

Bug #2023814 reported by Michael Vogt
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned

Bug Description

In our snapd tests we noticed that that with 3.1.5 on arch we now get new denials:
"""
$ spread -debug -v google:arch-linux-64:tests/regression/lp-1803535
...
+ test-snapd-lp-1803535.sh -c /bin/true
cannot update snap namespace: cannot create writable mimic over "/etc": permission denied
snap-update-ns failed with code 1

# dmesg
[ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind"

# grep .snap/etc /var/lib/snapd/apparmor/profiles/snap-update-ns.test-snapd-lp-1803535
  "/tmp/.snap/etc/" rw,
  mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/",
"""

Revision history for this message
John Johansen (jjohansen) wrote :

this is turning out to be more complicated than expected.

what is the kernel version, and can you attach the full profile.

Revision history for this message
John Johansen (jjohansen) wrote :

Note: I have now run millions of variations/combinations of mount tests around this rule, and have not been able to replicate the failure.

Revision history for this message
John Johansen (jjohansen) wrote :

the suse version of this bug has more activity https://bugzilla.opensuse.org/show_bug.cgi?id=1211989

it looks like more than one issue, from there. Comment #12 aligns with this report. But there are other 3.1.5 failures around mount, where there is no mount rule in the profile. So the access denials would be expected.

Could some of this be an issue with how snapd is detecting if apparmor supports a given mount rule.

Revision history for this message
Tilman Blumenbach (tblue) wrote :
Download full text (12.6 KiB)

Looks like I too have this issue, on Arch Linux:

- AppArmor version: 3.1.5
- snapd version: 2.60
- Kernel: Linux h2g2-42 6.3.8-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 14 Jun 2023 20:10:31 +0000 x86_64 GNU/Linux
- Affected snaps: spotify (revision 67)

When I do "snap install spotify", I get:

================================

error: cannot perform the following tasks:
- Run configure hook of "spotify" snap if present (run hook "configure":
-----
ha-dark-sea none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Matcha-sea /snap/spotify/67/data-dir/themes/Matcha-sea none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-compact /snap/spotify/67/data-dir/themes/Materia-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark-compact /snap/spotify/67/data-dir/themes/Materia-dark-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-dark /snap/spotify/67/data-dir/themes/Materia-dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light-compact /snap/spotify/67/data-dir/themes/Materia-light-compact none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia-light /snap/spotify/67/data-dir/themes/Materia-light none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Materia /snap/spotify/67/data-dir/themes/Materia none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiance /snap/spotify/67/data-dir/themes/Radiance none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/themes/Radiant-MATE /snap/spotify/67/data-dir/themes/Radiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/themes": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/s...

Revision history for this message
Tilman Blumenbach (tblue) wrote :
Download full text (33.1 KiB)

In commment #4, I promised to attach the AppArmor profile for the spotify snap.

However, I of course could not even install the snap with AppArmor 3.1.5 (and thus there was no profile for the snap), so I downgraded to AppArmor 3.1.3, installed the snap, and then again upgraded to AppArmor 3.1.5.

Now, with the snap installed, I get:

============================

% /var/lib/snapd/snap/bin/spotify
update.go:85: cannot change mount namespace according to change mount (/snap/gnome-3-38-2004/140 /snap/spotify/67/gnome-platform none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Adwaita /snap/spotify/67/data-dir/icons/Adwaita none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Ambiant-MATE /snap/spotify/67/data-dir/icons/Ambiant-MATE none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Breeze_Snow /snap/spotify/67/data-dir/icons/Breeze_Snow none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-Black /snap/spotify/67/data-dir/icons/DMZ-Black none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/DMZ-White /snap/spotify/67/data-dir/icons/DMZ-White none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/HighContrast /snap/spotify/67/data-dir/icons/HighContrast none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Humanity-Dark /snap/spotify/67/data-dir/icons/Humanity-Dark none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Humanity /snap/spotify/67/data-dir/icons/Humanity none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
update.go:85: cannot change mount namespace according to change mount (/snap/gtk-common-themes/1535/share/icons/Papirus-Adapta-Maia /snap/spotify/67/data-dir/icons/Papirus-Adapta-Maia none bind,ro 0 0): cannot create writable mimic over "/snap/spotify/67/data-dir/icons": permission denied
u...

Revision history for this message
Tilman Blumenbach (tblue) wrote :

And finally, here are the AppArmor profiles for comment #5.

I wasn't sure what to attach exactly, so the tarball contains the following files:

-rw-r--r-- root/root 40058 2023-06-17 16:11 var/lib/snapd/apparmor/profiles/snap.spotify.hook.configure
-rw-r--r-- root/root 67863 2023-06-17 16:11 var/lib/snapd/apparmor/profiles/snap.spotify.spotify
-rw-r--r-- root/root 90655 2023-06-17 16:15 var/lib/snapd/apparmor/profiles/snap-update-ns.spotify
-rw-r--r-- root/root 66270 2023-06-17 16:24 tmp/snap.spotify.hook.configure.with_includes
-rw-r--r-- root/root 109519 2023-06-17 16:24 tmp/snap.spotify.spotify.with_includes
-rw-r--r-- root/root 100603 2023-06-17 16:24 tmp/snap-update-ns.spotify.with_includes

Revision history for this message
Michael Vogt (mvo) wrote :

There is upstream work in https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 going on it seems.

Changed in apparmor:
status: New → In Progress
Revision history for this message
John Johansen (jjohansen) wrote :

We have a fix https://gitlab.com/apparmor/apparmor/-/merge_requests/1054

the opensuse people have been testing, and verified it works for them (see bug link in comment 3). Upstream will roll a new release asap.

Revision history for this message
John Johansen (jjohansen) wrote :

AppArmor 3.1.6 with the fix for this has been released upstream. https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6

Changed in apparmor:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.