Revert "cmd/snap-confine: remove capability sys_ptrace"

This reverts commit 3efbedd. It seems that after all it is needed. Specifically if snap-confine is started by a non-root user everything consistently fails with: cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied And an apparmor denial is logged: [34345.780067] audit: type=1400 audit(1489647627.003:150): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=31109 comm="snap-confine" capability=19 capname="sys_ptrace" This corresponds to the following call: if (readlinkat(init_mnt_fd, "", init_buf, sizeof init_buf) < 0) { init_mnt_fd is coming from and earlier successful call: init_mnt_fd = open("/proc/1/ns/mnt", O_RDONLY | O_CLOEXEC | O_NOFOLLOW | O_PATH); Perhaps the fact that euid == 0 but uid != 0 is relevant here but I don't know how exactly. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
snapcore · niemeyer · Mar 16, 2017 · Dec 2, 2016 · Jan 12, 2017 · Jan 12, 2017
commit 7373ee8938cebb82c88f5925d448b290d18a7122
diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
@@ -274,6 +274,8 @@
     /var/lib/lxd/ w,
     /var/lib/snapd/hostfs/var/lib/lxd r,
 
+    # support for the mount namespace sharing
+    capability sys_ptrace,
     # allow snap-confine to read /proc/1/ns/mnt
     ptrace trace peer=unconfined,