-
-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
snap.nextcloud.nextcloud-cron flooding syslog with AppArmor errors #1956
Comments
I'm afraid you haven't seen much movement on this type of thing in the past, because here in the snap we have no control over:
|
Thanks for the response. I might not correctly understand this, but it looks like the apparmor rules are created by snap based on the interfaces that you have defined in nextcloud-snap, and there might be a way to define additional custom interfaces. While you have no control over cron.php, it would probably make very much sense to assess what it is doing, in terms of apparmor rules, and provide an appropriate interface as part of this project. |
I'm having this very same issue on Ubuntu 20.04.3 - keen to find out if there is a workaround/fix to address the issue.
|
I'm afraid you misunderstand how snap interfaces work. They're like android permissions, you select which pre-defined ones you're using and that's it. They allow us to poke predefined holes in the confinement model, but do not allow us to customize them. It would be handy if snapd supported silencing that type of thing unless you're debugging them, but it doesn't to the length of my knowledge. In general these things are non-fatal and are really not interesting. The software looks in a few places for this or that file, some of the places are off-limits, and that causes an apparmor log. It's normal. The software itself finds what it's looking for elsewhere (or doesn't), and typically carries on with its life. If someone would like to dig into this to see if we should be using more interfaces or to see if upstream Nextcloud could be doing something differently to not trigger such things, I'd be happy to review any proposals. Just keep in mind that:
|
exactly same issue on Debian 11.2. FYI, possibly missing |
Both of those break (2). Nothing actually requires those capabilities, so granting them just to silence a noisy log seems like it's asking for trouble. |
This issue is stale because it has been without activity for 60 days. It will be closed after 7 more days of inactivity. |
The issue still exists. I'm not even sure what workarounds I could deploy to make my apparmor logging useful again. |
Describe the bug
Every 15 minutes, the nextcloud-snap cronjob (rev28654 running on debian stable) is flooding dmesg with false positive(?) access denial messages:
This and similar things have been reported in the past, but only as observations of othewise unrelated uprade issues (e.g. #1728 but going back as far as #42). As none of the issues are specifically about apparmor and nextcloud-cron, I'm opening this one.
It would be great to either stop the cron.php(?) script from doing the illegitimate access or to define a better matching apparmor rule.
There is also another access error from the
renew-certs
job:To Reproduce
Steps to reproduce the behavior:
dmesg
Expected behavior
A default installation should come with apparmor rules that precisely match what it is allowed to do.
OS/snapd/snap version
Nextcloud is running behind Apache2 reverse-proxy on the /nc/ path of one of the apache-hosted domains.
Logs
Status of nextcloud-cron:
Other logs can be provided upon request.
The text was updated successfully, but these errors were encountered: