Ubuntu
snapd package

  1. Bug #1991691
  2. Comment #32

Comment 32 for bug 1991691

Revision history for this message
John Johansen (jjohansen) wrote :

we do have several apparmor denials in there but none of them are directly related to namespace creation. I have pasted then below just to make sure they don't disappear when the pastebin is reaped. It is possible that one of these denials is blocking the creation of a namespace if its calling a function that setups the namespace to fail before doing the actual namespace creation but I think this unlikely just because the paths don't line up with /run/user/

More concerning is
[ 58.869512] kauditd_printk_skb: 66 callbacks suppressed

which means we are missing some messages. Generally setting /proc/sys/kernel/printk_ratelimit to 0 will fix this and let us get most if not all of the missing messages if the test is rerun.
ie.
  echo 0 > /proc/sys/kernel/printk_ratelimit
  rerun test
  grab log

[ 58.869517] audit: type=1400 audit(1675757852.408:120): apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=1986 comm="snap-confine" capability=12 capname="net_admin"
[ 58.869556] audit: type=1400 audit(1675757852.408:121): apparmor="DENIED" operation="capable" class="cap" profile="/usr/lib/snapd/snap-confine" pid=1986 comm="snap-confine" capability=38 capname="perfmon"
[ 58.891561] audit: type=1400 audit(1675757852.428:122): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/meta/snap.yaml" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.893320] audit: type=1400 audit(1675757852.432:123): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/etc/apparmor.d/cache/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.923054] audit: type=1400 audit(1675757852.460:124): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/usr/local/share/fonts/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.923069] audit: type=1400 audit(1675757852.460:125): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/usr/local/share/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.925563] audit: type=1400 audit(1675757852.464:126): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/var/lib/snapd/hostfs/usr/share/fonts/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.972193] audit: type=1400 audit(1675757852.508:127): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/usr/local/share/fonts/" pid=2003 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 59.020734] audit: type=1400 audit(1675757852.561:128): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/meta/snap.yaml" pid=2009 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 59.021624] audit: type=1400 audit(1675757852.561:129): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.slack" name="/etc/apparmor.d/cache/" pid=2009 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0