Ubuntu
snapd package

avahi-daemon label change breaks generated profiles

Bug #1879231 reported by Paul Collins
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
In Progress
Undecided
Unassigned

Bug Description

I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:

type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'

As an experiment I reinstalled my snap in devmode and got the following:

type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'

followed by lots of other happy-looking messages, e.g.:

type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'

and my machine appeared in avahi-browse and was visible to my other mDNS devices. So the problem seems to be solely due to confinement.

In fact, the generated profile has the following:

    peer=(name=org.freedesktop.Avahi,label="{unconfined,/usr/sbin/avahi-daemon}"),

but the denials have the following:

    peer_label="avahi-daemon"

so I suspect the avahi-daemon labelling has changed in Ubuntu (I'm running 20.04 LTS).

See original description
Paul Collins (pjdc)
description: updated
Paul Collins (pjdc)
summary: - avahi-control dbus permissions for Ping method need updating
+ avahi dbus permissions for Ping method need updating
Paul Collins (pjdc)
summary: - avahi dbus permissions for Ping method need updating
+ avahi-daemon label change break generated profiles
description: updated
Revision history for this message
Paul Collins (pjdc) wrote : Re: avahi-daemon label change break generated profiles

https://github.com/snapcore/snapd/pull/8713

Tested locally, and by allowing bare "avahi-daemon" as a label, my confined snap can register with Avahi and is visible across the network.

summary: - avahi-daemon label change break generated profiles
+ avahi-daemon label change breaks generated profiles
Ian Johnson (anonymouse67)
Changed in snapd (Ubuntu):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.