Ubuntu
snapd package

snapd and Ubuntu 20.04 nvidia triggers apparmor denials on 'sendmsg' name=/run/nvidia-xdriver-xxxx and @var/run/nvidia-xdriver-*

Bug #1862832 reported by Dan Ryan on 2020-02-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Fix Released	Medium	Zygmunt Krynicki	snapd 2.43.3
	snapd (Ubuntu)	Triaged	Medium	Unassigned

Bug Description

As of yesterday, launching gui-enabled snaps reliably triggers apparmor denials communicating with nvidia drivers.

$ lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
Codename: focal

$ snap version
snap 2.43.2
snapd 2.43.2
series 16
ubuntu 20.04
kernel 5.4.0-12-generic

The denials look like the following:

Feb 11 02:27:47 utumno audit[855860]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" pid=855860 comm="simplenote" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 02:27:47 utumno audit[855860]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" name="/run/nvidia-xdriver-f8177d9f" pid=855860 comm="simplenote" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 02:27:47 utumno kernel: audit: type=1400 audit(1581406067.880:2542): apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" pid=855860 comm="simplenote" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 02:27:47 utumno kernel: audit: type=1400 audit(1581406067.880:2543): apparmor="DENIED" operation="sendmsg" profile="snap.simplenote.simplenote" name="/run/nvidia-xdriver-f8177d9f" pid=855860 comm="simplenote" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 10 19:31:58 utumno audit[484729]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=484729 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 10 19:31:58 utumno audit[484729]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=484729 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 10 19:31:58 utumno kernel: audit: type=1400 audit(1581381118.124:340): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=484729 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 10 19:31:58 utumno kernel: audit: type=1400 audit(1581381118.124:341): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=484729 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:08:13 utumno audit[1447768]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1447768 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:08:13 utumno kernel: audit: type=1400 audit(1581444493.290:9448): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1447768 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:08:13 utumno kernel: audit: type=1400 audit(1581444493.290:9449): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1447768 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:08:13 utumno audit[1447768]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1447768 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:59:41 utumno audit[1505247]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1505247 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:59:41 utumno audit[1505247]: AVC apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1505247 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
Feb 11 13:59:41 utumno kernel: audit: type=1400 audit(1581447581.792:10272): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" pid=1505247 comm="pomotroid" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
Feb 11 13:59:41 utumno kernel: audit: type=1400 audit(1581447581.792:10273): apparmor="DENIED" operation="sendmsg" profile="snap.pomotroid.pomotroid" name="/run/nvidia-xdriver-f8177d9f" pid=1505247 comm="pomotroid" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

Zygmunt Krynicki (zyga) on 2020-02-11

Changed in snapd (Ubuntu):
status:	New → Triaged
Changed in snapd:
status:	New → Triaged
importance:	Undecided → Medium
Changed in snapd (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-02-11:

It looks like we need to adjust the policy to allow:

/run/nvidia-xdriver-* rw,
unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*),

I'm not sure if more is needed for the updated drivers.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-02-11:

Note, I found the unix path with:

$ aa-decode @7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000
String should only contain hex characters (0-9, a-f, A-F)

$ aa-decode 7661722F72756E2F6E76696469612D786472697665722D66383137376439660000000000000000000000000000000000000000000000000000000000000000
...
var/run/nvidia-xdriver-f8177d9f

So, prepending the '@', we have '@var/run/nvidia-xdriver-f8177d9f'

summary:

- Latest snapd triggers apparmor denials on 'sendmsg' name=/run/nvidia-
- xdriver-xxxx
+ snapd and Ubuntu 20.04 nvidia triggers apparmor denials on 'sendmsg'
+ name=/run/nvidia-xdriver-xxxx and @var/run/nvidia-xdriver-*

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-02-11:

I'll check it out on my hardware and send the patches.

Changed in snapd:
assignee:	nobody → Zygmunt Krynicki (zyga)

Zygmunt Krynicki (zyga) on 2020-02-12

Changed in snapd:
status:	Triaged → In Progress

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-02-12:

I've reproduced the issue:

lut 12 11:55:46 fx kernel: audit: type=1400 audit(1581504946.015:53): apparmor="DENIED" operation="sendmsg" profile="snap.ohmygiraffe.ohmygiraffe" pid=6127 comm="love" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr="@7661722F72756E2F6E76696469612D786472697665722D39646461393234640000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
lut 12 11:55:46 fx kernel: audit: type=1400 audit(1581504946.015:54): apparmor="DENIED" operation="sendmsg" profile="snap.ohmygiraffe.ohmygiraffe" name="/run/nvidia-xdriver-9dda924d" pid=6127 comm="love" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0

I've applied a patch similar to what Jamie suggested and re ran the application. There were no more denials reported:

This is now fixed in https://github.com/snapcore/snapd/pull/8122

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-02-12:

Thanks! (re 'similar to'> yes, I had a typo :)

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-02-12:

This is now targeting 2.43 point release.

Changed in snapd:
milestone:	none → 2.43.3
status:	In Progress → Fix Committed

Revision history for this message

Dan Ryan (techalchemy) wrote on 2020-02-12:

thanks for the quick fixes!

Zygmunt Krynicki (zyga) on 2020-02-13

Changed in snapd:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusnapd package

snapd and Ubuntu 20.04 nvidia triggers apparmor denials on 'sendmsg' name=/run/nvidia-xdriver-xxxx and @var/run/nvidia-xdriver-*

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
snapd package