Anbox 46 snap-confine has elevated permissions and is not confined but should be

[grandtoubab]

root@debian:# snap list
Name   Version     Rev   Developer  Notes
anbox  3-7036fc0   46    morphis    devmode
core   16-2.26.14  2462  canonical  -

root@debian:/# snap info core
name:      core
summary:   "snapd runtime environment"
publisher: canonical
contact:   snappy-canonical-storeaccount@canonical.com
description: |
  The core runtime environment for snapd
type:        core
tracking:    candidate
installed:   16-2.26.14 (2462) 84MB -
refreshed:   2017-07-20 14:45:34 +0200 CEST
channels:                      
  stable:    16-2.26.14 (2462) 84MB -
  candidate: 16-2.26.14 (2462) 84MB -
  beta:      16-2.27    (2517) 85MB -
  edge:      16-2.27    (2517) 85MB -

root@debian:/# snap info anbox
name:      anbox
summary:   "Android in a Box"
publisher: morphis
description: |
  Runtime for Android applications which runs a full Android system
  in a container using Linux namespaces (user, ipc, net, mount) to
  separate the Android system fully from the host.
  
commands:
  - anbox
  - anbox.collect-bug-info
tracking:    edge
installed:   3-7036fc0 (46) 361MB devmode
refreshed:   2017-07-27 09:39:37 +0200 CEST
channels:                   
  stable:    –                    
  candidate: –                    
  beta:      1-dev     (15) 357MB devmode
  edge:      3-7036fc0 (46) 361MB devmode

@debian:~$ anbox system-info
snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

Problem : nothing starts

Jul 28 11:46:32 debian systemd[1]: Mounting Mount unit for anbox...
Jul 28 11:46:32 debian systemd[1]: Mounted Mount unit for anbox.
Jul 28 11:46:32 debian systemd-udevd[213]: /lib/udev/rules.d/99-anbox.rules:1: NAME="%k" is ignored, because it breaks kernel supplied names; please remove
Jul 28 11:46:32 debian systemd-udevd[213]: /lib/udev/rules.d/99-anbox.rules:2: NAME="%k" is ignored, because it breaks kernel supplied names; please remove
Jul 28 11:46:47 debian systemd[1]: Started Service for snap application anbox.container-manager.
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Main process exited, code=exited, status=1/FAILURE
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Unit entered failed state.
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Failed with result 'exit-code'.
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Service hold-off time over, scheduling restart.
Jul 28 11:46:48 debian systemd[1]: Stopped Service for snap application anbox.container-manager.
Jul 28 11:46:48 debian systemd[1]: Started Service for snap application anbox.container-manager.
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Main process exited, code=exited, status=1/FAILURE
Jul 28 11:46:48 debian systemd[1]: snap.anbox.container-manager.service: Unit entered failed state.

 anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity&
[1] 2175
guy@debian:~$ snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks

[1]+  Termine 1               anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

[zyga]

Hey, snap-confine author here.

That message means that you have apparmor built into your kernel and enabled but for whatever reason snap-confine is running without confinement. This is a security measure to ensure that nobody can attack the confinement and somehow unconfine snap-confine by running it with the path from the core snap (where it is setuid-root).

Can you tell me more about your system please? Start with snap version and ls /sys/kernel/security/apparmor please. EDIT: and /proc/cmdline

[grandtoubab]

I am running on Debian 10 Buster with apparmor activated

 ls /sys/kernel/security/apparmor
features  policy  profiles
root@debian:# ls /proc/cmdline
/proc/cmdline

debian:/# aa-status | grep snap
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

snap list
Name  Version     Rev   Developer  Notes
core  16-2.26.14  2462  canonical  -

apt list snapd
En train de lister... Fait
snapd/testing,stable,now 2.21-2+b1 amd64  [installé]

 dpkg -l anbox-common
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
| État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé/W=attend-traitement-déclenchements
|/ Err?=(aucune)/besoin Réinstallation (État,Err: majuscule=mauvais)
||/ Nom                      Version           Architecture      Description
+++-========================-=================-=================-=====================================================
ii  anbox-common             8~xenial1         all               Common files necessary for Anbox

 dpkg -l anbox-modules-dkms
Souhait=inconnU/Installé/suppRimé/Purgé/H=à garder
| État=Non/Installé/fichier-Config/dépaqUeté/échec-conFig/H=semi-installé/W=attend-traitement-déclenchements
|/ Err?=(aucune)/besoin Réinstallation (État,Err: majuscule=mauvais)
||/ Nom                      Version           Architecture      Description
+++-========================-=================-=================-=====================================================
ii  anbox-modules-dkms       8~xenial1         all               Android kernel driver (binder, ashmem) in DKMS format

debian:~$ journalctl -b | grep snap-confine
juil. 28 16:19:50 debian apparmor[578]: Warning from /etc/apparmor.d/usr.lib.snapd.snap-confine (/etc/apparmor.d/usr.lib.snapd.snap-confine line 362): Unconfined exec qualifier (ux) allows some dangerous environment variables to be passed to the unconfined process; 'man 5 apparmor.d' for details.
juil. 28 16:19:50 debian audit[647]: AVC apparmor="STATUS" operation="profile_load" name="/usr/lib/snapd/snap-confine" pid=647 comm="apparmor_parser"
juil. 28 16:19:50 debian audit[647]: AVC apparmor="STATUS" operation="profile_load" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=647 comm="apparmor_parser"

[lal12]

I had the same issue. It seems that no app armor profile for snap is created. I made it work by
sudo aa-genprof /usr/bin/snap, then type in F for Finish.
sudo aa-complain /usr/bin/snap

I guess in terms of security not the optimal solution, ...

[zyga]

@lal12 the profile should not apply to snap as it is an unprivileged application that doesn't have any security impact. The profile needs to apply to snap-confine and that is the one that needs to be investigated. At no time should we use aa-genprof since a profile already exists and there are mechanism in place to use it. Something broke but this is not the solution.

[zyga]

@grandtoubab This explains everything, thank you!

The crux of the issue is disconnect between snap-confine and snapd. Snapd doesn't generate the apparmor profile for snap-confine but snap-confine is compiled with apparmor enabled and expects to be confined since apparmor is also enabled on boot.

Unfortunately this situation is unsupported until Linux 4.14 is released. Right now there is no easy way.

[grandtoubab]

Hello
in /etc/apparmor.d/usr.lib.snapd.snap-confine
the line 362 is

# Debian compiles snap-confine without AppArmor, so allow running snaps unconfined
    /usr/lib/snapd/snap-exec uxr,

and it seems it is not true as the profile is not found in unconfined

root@debian:/etc/apparmor.d#  aa-unconfined | grep snap
root@debian:/etc/apparmor.d# 

so maybe this line is wrong /usr/lib/snapd/snap-exec uxr ?

[grandtoubab]

I modify /etc/apparmor.d/usr.lib.snapd.snap-confine this way

    # Required when using unpatched upstream kernel
    capability sys_ptrace,
    # Debian compiles snap-confine without AppArmor, so allow running snaps unconfined
    #/usr/lib/snapd/snap-exec uxr,
}

and now I get

root@debian:/# journalctl -b | grep snap-confine
août 01 12:04:40 debian audit[638]: AVC apparmor="STATUS" operation="profile_load" name="/usr/lib/snapd/snap-confine" pid=638 comm="apparmor_parser"
août 01 12:04:40 debian audit[638]: AVC apparmor="STATUS" operation="profile_load" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=638 comm="apparmor_parser"

root@debian:/# aa-status
apparmor module is loaded.
61 profiles are loaded.
24 profiles are in enforce mode.
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince-thumbnailer//sanitized_helper
   /usr/bin/evince//sanitized_helper
   /usr/bin/irssi
   /usr/bin/pidgin
   /usr/bin/pidgin//launchpad_integration
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

[morphis]

I am closing this one as it's not an issue with anbox but with snapd.

[david2896482]

@grandtoubab hi I encountered the same problem on my odroid C1 board (armhf).
Do you finally solve this problem? I need help..

[grandtoubab]

As expalin above snapd is dependant on the kernel version. and Anbox is not a mature project. Not functionnal everywhere so I gave up.

[david2896482]

@grandtoubab Okay thanks for your help.

Sorry for my English..