snapd

strict snap run from classic snap can't write to filesystem

Bug #1835805 reported by Ian Johnson
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
snapd
Triaged
High
Unassigned

Bug Description

Haven't yet made a minimal reproducer without the docker snap, but for the time being it is reproducible with the docker snap on disco:

1. install the docker snap
2. install a classic snap (i.e. snapcraft)
3. start a new shell in the classic snap
4. create a docker container with the docker snap and get the ID
5. Try exporting the rootfs of that docker container to a file

See:
$ snap install docker
$ snap install snapcraft --classic
$ snap run --shell snapcraft
$ echo $SNAP
/snap/snapcraft/3059
$ which docker
/snap/bin/docker
$ ID=$(docker create hello-world)
$ docker export $ID > rootfs.tgz
write /dev/stdout: permission denied

The following denials show up:

```
Jul 08 10:20:18 audit[40194]: AVC apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=40194 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:20:18 kernel: audit: type=1400 audit(1562599218.618:787): apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=40194 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:20:18 audit[40194]: AVC apparmor="DENIED" operation="file_inherit" profile="snap.docker.docker" name="/apparmor/.null" pid=40194 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Jul 08 10:20:18 kernel: audit: type=1400 audit(1562599218.622:788): apparmor="DENIED" operation="file_inherit" profile="snap.docker.docker" name="/apparmor/.null" pid=40194 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Jul 08 10:25:47 audit[41151]: AVC apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=41151 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jul 08 10:25:47 kernel: audit: type=1400 audit(1562599547.189:789): apparmor="DENIED" operation="file_inherit" profile="/snap/core/7270/usr/lib/snapd/snap-confine" name="/home/user/rootfs.tgz" pid=41151 comm="snap-confine" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
```

Doing the same steps outside of a classic snap shell works as expected:
$ which docker
/snap/bin/docker
$ echo $SNAP

$ ID=$(docker create hello-world)
$ docker export $ID > rootfs.tgz
$ file rootfs.tgz
rootfs.tgz: POSIX tar archive
$

Revision history for this message
Julian Andres Klode (juliank) wrote :

I'm seeing this when trying to use the go snap with the code snap:

[329584.830660] audit: type=1400 audit(1565382151.152:4651): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" pid=1032 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none

This happens when the go tool is run on save in visual studio code (and then nothing happens, /snap/bin/go just exits doing nothing), but it does not happen when running it inside snap --shell code.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

The bug report is very detailed and I recognise the denial. I would like to raise the risk of this bug interfering with the use of IDEs-as-snaps calling toolchains-as-snaps. I think it requires a discussion with Jamie about how we can address this.

Changed in snapd:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Ian Johnson (anonymouse67) wrote :

IIUC, for the go snap with the code snap, that is the same problem as https://forum.snapcraft.io/t/snapd-2-32-breaks-live-server-installer/4597, which I don't think can be fixed anytime soon.

However this bug about classic -> strict could be from the same thing, still unclear to me.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

https://bugs.launchpad.net/bugs/1849753 has some ideas on how to resolve this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.