apparmor="DENIED" operation="open" profile="snap.lxd.daemon" and comm="snap-confine" entries

jobenvil · January 30, 2022, 4:37pm

grep -i apparmor /var/log/kern.log

...
Jan 30 17:08:58 arkanoid kernel: [454802.377170] audit: type=1400 audit(1643558938.711:363714): apparmor="DENIED" operation="open" profile="/snap/snapd/14549/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=2653748 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:08:58 arkanoid kernel: [454802.379449] audit: type=1400 audit(1643558938.711:363715): apparmor="DENIED" operation="open" profile="snap.lxd.daemon" name="/var/lib/snapd/hostfs/etc/pop-os/os-release" pid=2653748 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:01 arkanoid kernel: [454804.880292] audit: type=1400 audit(1643558941.211:363716): apparmor="DENIED" operation="open" profile="/snap/snapd/14549/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=2654050 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:01 arkanoid kernel: [454804.882668] audit: type=1400 audit(1643558941.215:363717): apparmor="DENIED" operation="open" profile="snap.lxd.daemon" name="/var/lib/snapd/hostfs/etc/pop-os/os-release" pid=2654050 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:03 arkanoid kernel: [454807.360090] audit: type=1400 audit(1643558943.691:363718): apparmor="DENIED" operation="open" profile="/snap/snapd/14549/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=2654298 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:03 arkanoid kernel: [454807.362372] audit: type=1400 audit(1643558943.695:363719): apparmor="DENIED" operation="open" profile="snap.lxd.daemon" name="/var/lib/snapd/hostfs/etc/pop-os/os-release" pid=2654298 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:06 arkanoid kernel: [454809.883137] audit: type=1400 audit(1643558946.215:363720): apparmor="DENIED" operation="open" profile="/snap/snapd/14549/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=2654562 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jan 30 17:09:06 arkanoid kernel: [454809.885500] audit: type=1400 audit(1643558946.219:363721): apparmor="DENIED" operation="open" profile="snap.lxd.daemon" name="/var/lib/snapd/hostfs/etc/pop-os/os-release" pid=2654562 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
...

No idea where this error comes from. dmesg getting spammed with same error. Please advise.

cat /etc/os-release

    NAME="Pop!_OS"
    VERSION="21.10"
    ID=pop
    ID_LIKE="ubuntu debian"
    PRETTY_NAME="Pop!_OS 21.10"
    VERSION_ID="21.10"
    HOME_URL="https://pop.system76.com"
    SUPPORT_URL="https://support.system76.com"
    BUG_REPORT_URL="https://github.com/pop-os/pop/issues"
    PRIVACY_POLICY_URL="https://system76.com/privacy"
    VERSION_CODENAME=impish
    UBUNTU_CODENAME=impish
    LOGO=distributor-logo-pop-os

uname -a
Linux myhost 5.15.15-76051515-generic #202201160435~1642693824~21.10~97db1bb SMP Thu Jan 20 17:35:05 U x86_64 x86_64 x86_64 GNU/Linux

snap list

Nombre   Versión   Rev    Seguimiento    Editor        Notas
certbot  1.22.0    1670   latest/stable  certbot-eff✓  classic
core20   20220114  1328   latest/stable  canonical✓    base
lxd      4.0.8     21835  4.0/stable/…   canonical✓    -
snapd    2.54.2    14549  latest/stable  canonical✓    snapd

ps aux | grep dnsmasq

lxc-dns+    2142  0.0  0.0  25124  2328 ?        S    ene25   0:00 dnsmasq --conf-file=/dev/null -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
root     2686930  0.0  0.0  19076  2448 pts/4    S+   17:14   0:00 grep --color=auto dnsmasq

Thanks in advance.

stgraber · January 30, 2022, 6:32pm

The fact that the command reported here is snap-exec means that it’s unlikely to be something we can really help with in LXD.

There is a system-observe interface in snapd which allows access to /etc/os-release I believe. But apparmor follows all symlinks, so assuming your /etc/os-release is a symlink to /etc/pop-os/os-release, this would explain the failure.

A quick workaround would be for you to turn /etc/os-release into a regular file rather than a symlink. A proper fix would be to have snapd also allow /etc/pop-os/os-release everywhere it allows /etc/os-release, but it’s an unusual pattern that pop-os is following here and that may well be breaking a bunch of other software for no real good reason (the standard is for /etc/os-release or /usr/lib/os-release to be regular files, not symlinks).

I’d recommend bringing this up on https://forum.snapcraft.io

jobenvil · January 30, 2022, 6:57pm

Your assumptions are right. I will follow your suggestions and bring this up to https://forum.snapcraft.io. As you commented and as a WA I will remove the symlink. Thanks!