[apparmor] [Bug 2049099] Re: AppArmor blocking snap install nested in LXD container
Maciej Borzecki
2049099 at bugs.launchpad.net
Fri Jan 26 08:22:58 UTC 2024
Another observation, I have another lxc container instance, this time
it's ubuntu:24.04 which has been initialized properly and no issues so
far were observed.
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2049099
Title:
AppArmor blocking snap install nested in LXD container
Status in snapd:
New
Bug description:
##### Context
I'm on a non-Ubuntu OS (Arch), trying to use Juju on LXD. In doing so, Juju uses a snap inside an LXD container, and so needs the system to support nested AppArmor profiles. `juju-db` is the snap in question, if that helps.
##### Issue
When I try to do this, I get a bunch of AppArmor violations, that go way over my head. It's not clear to me what is causing these, but I **suspect** that Ubuntu patches some host-system AppArmor profiles to support this use-case, that isn't replicated on other OSs? Not sure, and I don't know who to ask or where to look.
If any additional information is needed I'd be more than happy to
provide.
###### `snappy-debug` journalctl logs
[ 411.702391] loop11: detected capacity change from 0 to 33408
[ 411.882088] audit: type=1400 audit(1704822630.613:257): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.snappy-debug" pid=8545 comm="apparmor_parser"
[ 411.927376] audit: type=1400 audit(1704822630.659:258): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.scanlog" pid=8548 comm="apparmor_parser"
[ 411.927408] audit: type=1400 audit(1704822630.659:259): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.audit-arch" pid=8546 comm="apparmor_parser"
[ 411.927511] audit: type=1400 audit(1704822630.659:260): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.security" pid=8550 comm="apparmor_parser"
[ 411.927592] audit: type=1400 audit(1704822630.659:261): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.snappy-debug" pid=8551 comm="apparmor_parser"
[ 411.927637] audit: type=1400 audit(1704822630.659:262): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.id-range" pid=8547 comm="apparmor_parser"
[ 411.928038] audit: type=1400 audit(1704822630.659:263): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.snappy-debug.scmp-sys-resolver" pid=8549 comm="apparmor_parser"
[ 412.245557] audit: type=1400 audit(1704822630.976:264): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine" pid=8573 comm="apparmor_parser"
[ 412.245562] audit: type=1400 audit(1704822630.976:265): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/var/lib/snapd/snap/snapd/20671/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=8573 comm="apparmor_parser"
[ 412.251680] audit: type=1400 audit(1704822630.983:266): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.snappy-debug" pid=8575 comm="apparmor_parser"
[ 436.594532] audit: type=1400 audit(1704822655.326:273): apparmor="DENIED" operation="open" class="file" profile="snap.juju.juju" name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 436.955742] audit: type=1400 audit(1704822655.686:274): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0" pid=8915 comm="apparmor_parser"
[ 437.001597] audit: type=1400 audit(1704822655.733:275): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0" pid=8920 comm="apparmor_parser"
[ 437.047127] audit: type=1400 audit(1704822655.779:276): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs" pid=8924 comm="apparmor_parser"
[ 438.662197] audit: type=1400 audit(1704822657.393:277): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd_archive-var-snap-lxd-common-lxd-storage-pools-default-containers-juju-98527a-0-rootfs" pid=8947 comm="apparmor_parser"
[ 438.726353] lxdbr0: port 1(vethe8cdef92) entered blocking state
[ 438.726357] lxdbr0: port 1(vethe8cdef92) entered disabled state
[ 438.726363] vethe8cdef92: entered allmulticast mode
[ 438.726404] vethe8cdef92: entered promiscuous mode
[ 438.836408] audit: type=1400 audit(1704822657.566:278): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>" pid=9022 comm="apparmor_parser"
[ 438.936964] physF3pxUH: renamed from vethd8d1dfa0
[ 438.967393] eth0: renamed from physF3pxUH
[ 438.983981] lxdbr0: port 1(vethe8cdef92) entered blocking state
[ 438.983985] lxdbr0: port 1(vethe8cdef92) entered forwarding state
[ 439.220648] NOHZ tick-stop error: local softirq work is pending, handler #200!!!
[ 439.262605] audit: type=1400 audit(1704822657.993:279): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="nvidia_modprobe" pid=9151 comm="apparmor_parser"
[ 439.262990] audit: type=1400 audit(1704822657.993:280): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="lsb_release" pid=9150 comm="apparmor_parser"
[ 439.263026] audit: type=1400 audit(1704822657.993:281): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="nvidia_modprobe//kmod" pid=9151 comm="apparmor_parser"
[ 439.271998] audit: type=1400 audit(1704822658.003:282): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="tcpdump" pid=9154 comm="apparmor_parser"
[ 439.275799] audit: type=1400 audit(1704822658.006:283): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/bin/man" pid=9153 comm="apparmor_parser"
[ 439.275958] audit: type=1400 audit(1704822658.006:284): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="man_filter" pid=9153 comm="apparmor_parser"
[ 439.276194] audit: type=1400 audit(1704822658.006:285): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="man_groff" pid=9153 comm="apparmor_parser"
[ 439.325135] audit: type=1400 audit(1704822658.056:286): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=9152 comm="apparmor_parser"
[ 439.325403] audit: type=1400 audit(1704822658.056:287): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=9152 comm="apparmor_parser"
[ 439.325644] audit: type=1400 audit(1704822658.056:288): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=9152 comm="apparmor_parser"
[ 439.326140] audit: type=1400 audit(1704822658.056:289): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/{,usr/}sbin/dhclient" pid=9152 comm="apparmor_parser"
[ 439.356289] audit: type=1400 audit(1704822658.086:290): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=9155 comm="apparmor_parser"
[ 439.356526] audit: type=1400 audit(1704822658.086:291): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9155 comm="apparmor_parser"
[ 439.531185] audit: type=1400 audit(1704822658.263:292): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9178 comm="apparmor_parser"
[ 439.593477] audit: type=1400 audit(1704822658.319:293): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9177 comm="apparmor_parser"
[ 439.593486] audit: type=1400 audit(1704822658.319:294): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9177 comm="apparmor_parser"
[ 439.594919] audit: type=1400 audit(1704822658.326:295): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9179 comm="apparmor_parser"
[ 439.609341] audit: type=1400 audit(1704822658.339:296): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9185 comm="apparmor_parser"
[ 439.617405] audit: type=1400 audit(1704822658.349:297): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9180 comm="apparmor_parser"
[ 439.621261] audit: type=1400 audit(1704822658.353:298): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9186 comm="apparmor_parser"
[ 439.625205] audit: type=1400 audit(1704822658.356:299): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9181 comm="apparmor_parser"
[ 439.625267] audit: type=1400 audit(1704822658.356:300): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check-kernel" pid=9182 comm="apparmor_parser"
[ 439.625861] audit: type=1400 audit(1704822658.356:301): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9188 comm="apparmor_parser"
[ 439.626255] audit: type=1400 audit(1704822658.356:302): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9190 comm="apparmor_parser"
[ 439.626606] audit: type=1400 audit(1704822658.356:303): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9187 comm="apparmor_parser"
[ 439.627179] audit: type=1400 audit(1704822658.359:304): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9189 comm="apparmor_parser"
[ 439.639671] audit: type=1400 audit(1704822658.369:305): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9184 comm="apparmor_parser"
[ 439.642412] audit: type=1400 audit(1704822658.373:306): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9183 comm="apparmor_parser"
[ 439.645081] audit: type=1400 audit(1704822658.376:307): apparmor="STATUS" operation="profile_load" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9191 comm="apparmor_parser"
[ 439.713482] NOHZ tick-stop error: local softirq work is pending, handler #200!!!
[ 441.714898] audit: type=1400 audit(1704822660.446:308): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9421 comm="apparmor_parser"
[ 441.756809] audit: type=1400 audit(1704822660.489:309): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9421 comm="apparmor_parser"
[ 441.760434] audit: type=1400 audit(1704822660.493:310): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9423 comm="apparmor_parser"
[ 441.762440] audit: type=1400 audit(1704822660.493:311): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9424 comm="apparmor_parser"
[ 441.762939] audit: type=1400 audit(1704822660.493:312): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9425 comm="apparmor_parser"
[ 441.763142] audit: type=1400 audit(1704822660.493:313): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9426 comm="apparmor_parser"
[ 441.763213] audit: type=1400 audit(1704822660.493:314): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9431 comm="apparmor_parser"
[ 441.763364] audit: type=1400 audit(1704822660.493:315): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check-kernel" pid=9427 comm="apparmor_parser"
[ 441.763491] audit: type=1400 audit(1704822660.496:316): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9430 comm="apparmor_parser"
[ 441.763665] audit: type=1400 audit(1704822660.496:317): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9433 comm="apparmor_parser"
[ 441.763688] audit: type=1400 audit(1704822660.496:318): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9434 comm="apparmor_parser"
[ 441.763742] audit: type=1400 audit(1704822660.496:319): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9435 comm="apparmor_parser"
[ 441.763869] audit: type=1400 audit(1704822660.496:320): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9432 comm="apparmor_parser"
[ 441.764036] audit: type=1400 audit(1704822660.496:321): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9429 comm="apparmor_parser"
[ 441.764117] audit: type=1400 audit(1704822660.496:322): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9428 comm="apparmor_parser"
[ 441.764418] audit: type=1400 audit(1704822660.496:323): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9436 comm="apparmor_parser"
[ 442.313495] audit: type=1400 audit(1704822661.046:324): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive"
[ 442.323720] audit: type=1400 audit(1704822661.056:325): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.477442] audit: type=1400 audit(1704822661.209:326): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.884305] audit: type=1400 audit(1704822661.616:327): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive"
[ 442.884311] audit: type=1400 audit(1704822661.616:328): apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive"
[ 442.886474] audit: type=1400 audit(1704822661.616:329): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.886479] audit: type=1400 audit(1704822661.616:330): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.897436] audit: type=1400 audit(1704822661.629:331): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.897439] audit: type=1400 audit(1704822661.629:332): apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 442.926817] NOHZ tick-stop error: local softirq work is pending, handler #200!!!
[ 442.976813] NOHZ tick-stop error: local softirq work is pending, handler #200!!!
[ 443.263929] audit: type=1400 audit(1704822661.996:333): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9602 comm="apparmor_parser"
[ 443.263934] audit: type=1400 audit(1704822661.996:334): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9602 comm="apparmor_parser"
[ 443.267568] audit: type=1400 audit(1704822661.999:335): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap-update-ns.lxd" pid=9604 comm="apparmor_parser"
[ 443.270731] audit: type=1400 audit(1704822662.003:336): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.activate" pid=9605 comm="apparmor_parser"
[ 443.270893] audit: type=1400 audit(1704822662.003:337): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.buginfo" pid=9607 comm="apparmor_parser"
[ 443.271121] audit: type=1400 audit(1704822662.003:338): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.benchmark" pid=9606 comm="apparmor_parser"
[ 443.271208] audit: type=1400 audit(1704822662.003:339): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.install" pid=9611 comm="apparmor_parser"
[ 443.271319] audit: type=1400 audit(1704822662.003:340): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.check-
kernel" pid=9608 comm="apparmor_parser"
[ 443.271426] audit: type=1400 audit(1704822662.003:341): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.remove" pid=9612 comm="apparmor_parser"
[ 443.271595] audit: type=1400 audit(1704822662.003:342): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc" pid=9613 comm="apparmor_parser"
[ 443.271815] audit: type=1400 audit(1704822662.003:343): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxc-to-lxd" pid=9614 comm="apparmor_parser"
[ 443.271827] audit: type=1400 audit(1704822662.003:344): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.lxd" pid=9615 comm="apparmor_parser"
[ 443.271901] audit: type=1400 audit(1704822662.003:345): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.migrate" pid=9616 comm="apparmor_parser"
[ 443.271915] audit: type=1400 audit(1704822662.003:346): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.daemon" pid=9609 comm="apparmor_parser"
[ 443.272098] audit: type=1400 audit(1704822662.003:347): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.hook.configure" pid=9610 comm="apparmor_parser"
[ 443.272532] audit: type=1400 audit(1704822662.003:348): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="snap.lxd.user-daemon" pid=9617 comm="apparmor_parser"
[ 445.556120] audit: type=1400 audit(1704822664.286:349): apparmor="STATUS" operation="profile_replace" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine" pid=9767 comm="apparmor_parser"
[ 445.570529] audit: type=1400 audit(1704822664.303:350): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxd-juju-98527a-0_</var/snap/lxd/common/lxd>//&:lxd-juju-98527a-0_<var-snap-lxd-common-lxd>:unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=9767 comm="apparmor_parser"
##### A rough grab from dmesg
~ ❯ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Jan 09 17:50:55
Log: apparmor="DENIED" operation="open" class="file" profile="snap.juju.juju" name="/var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem" pid=8866 comm="juju" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /var/lib/snapd/hostfs/etc/ca-certificates/extracted/tls-ca-bundle.pem (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9458 comm="snap-confine" family="netlink" sock_type="raw" protocol=15 requested_mask="send receive" denied_mask="send receive"
Suggestion:
* add one of 'account-control, hardware-observe, kernel-crypto-api, network-control, network-observe, raw-input, unity7, x11' to 'plugs'
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap-update-ns.lxd" name="/apparmor/.null" pid=9478 comm="6" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
File: /apparmor/.null (write)
Suggestion:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.hook.install" name="/apparmor/.null" pid=9458 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
File: /apparmor/.null (write)
Suggestion:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="net" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" pid=9525 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive"
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="snap.lxd.activate" name="/apparmor/.null" pid=9525 comm="snap-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
File: /apparmor/.null (write)
Suggestion:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: Jan 09 17:51:01
Log: apparmor="DENIED" operation="file_inherit" class="file" namespace="root//lxd-juju-98527a-0_<var-snap-lxd-common-lxd>" profile="/snap/snapd/20290/usr/lib/snapd/snap-confine" name="/apparmor/.null" pid=9525 comm="aa-exec" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
File: /apparmor/.null (write)
Suggestion:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
##### Snapd installed using -
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=snapd
##### `juju-db` snap - https://github.com/juju/juju-db-snap/tree/5.3
##### `usr.lib.snapd.snap-confine` default on Arch, in case it's useful
https://pastebin.com/M5t6gySa
##### Reproduce Steps
Assuming you're running on a vanilla (minimal tweaking) Arch machine with AppArmor enabled:
```bash
cd /tmp && git clone https://aur.archlinux.org/snapd.git && cd snapd
makepkg -si
sudo systemctl enable --now snapd.socket
# log-out, log-in
sudo snap install lxd --channel latest/edge
lxd init --auto
sudo snap install juju --channel 3.3/stable
juju bootstrap localhost lh --debug --bootstrap-timeout=180
# check snappy-debug or dmesg for AppArmor denials
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2049099/+subscriptions
More information about the AppArmor
mailing list