From 68a799368c82121ba6c296408b25e79602a61c2b Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Thu, 5 Dec 2019 14:38:09 +0000 Subject: [PATCH 1/3] snap-confine: allow 'r' for /sys/kernel/mm/transparent_hugepage/hpage_pmd_size golang runtime sets various constants and variables. Allow reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size for determining sysTHPSizePath. References: - https://golang.org/pkg/runtime/?m=all#pkg-variables --- cmd/snap-confine/snap-confine.apparmor.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in index f6832e3a676..858b91e4a56 100644 --- a/cmd/snap-confine/snap-confine.apparmor.in +++ b/cmd/snap-confine/snap-confine.apparmor.in @@ -51,6 +51,9 @@ /dev/pts/[0-9]* rw, /dev/tty rw, + # golang runtime variables + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + # cgroup: devices capability sys_admin, capability dac_read_search, From 47ee9d7200628248190438ea8e6aa1244d615963 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Thu, 5 Dec 2019 14:44:13 +0000 Subject: [PATCH 2/3] apparmor: allow 'r' /sys/kernel/mm/transparent_hugepage/hpage_pmd_size With newer kernels, many applications try to read hpage_pmd_size (eg, the golang runtime package does this). While the access appears non-fatal, the information within it is not sensitive, so allow it by default. References: - https://golang.org/pkg/runtime/?m=all#pkg-variables --- interfaces/apparmor/template.go | 1 + 1 file changed, 1 insertion(+) diff --git a/interfaces/apparmor/template.go b/interfaces/apparmor/template.go index 1c4be9420c2..05bbbced6a0 100644 --- a/interfaces/apparmor/template.go +++ b/interfaces/apparmor/template.go @@ -369,6 +369,7 @@ var defaultTemplate = ` /sys/devices/virtual/tty/{console,tty*}/active r, /sys/fs/cgroup/memory/memory.limit_in_bytes r, /sys/fs/cgroup/memory/snap.@{SNAP_INSTANCE_NAME}{,.*}/memory.limit_in_bytes r, + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, /sys/module/apparmor/parameters/enabled r, /{,usr/}lib/ r, From 309cacb708a4a326a16be0aa81851e1c0fc696b7 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Fri, 6 Dec 2019 15:36:43 +0000 Subject: [PATCH 3/3] hpage_pmd_size is for snap-update-ns, not snap-confine. Thanks zyga --- cmd/snap-confine/snap-confine.apparmor.in | 3 --- interfaces/apparmor/template.go | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in index 858b91e4a56..f6832e3a676 100644 --- a/cmd/snap-confine/snap-confine.apparmor.in +++ b/cmd/snap-confine/snap-confine.apparmor.in @@ -51,9 +51,6 @@ /dev/pts/[0-9]* rw, /dev/tty rw, - # golang runtime variables - /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - # cgroup: devices capability sys_admin, capability dac_read_search, diff --git a/interfaces/apparmor/template.go b/interfaces/apparmor/template.go index 05bbbced6a0..8b045cecc91 100644 --- a/interfaces/apparmor/template.go +++ b/interfaces/apparmor/template.go @@ -715,6 +715,9 @@ profile snap-update-ns.###SNAP_INSTANCE_NAME### (attach_disconnected) { /dev/random r, /dev/urandom r, + # golang runtime variables + /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, + # Allow access to the uuidd daemon (this daemon is a thin wrapper around # time and getrandom()/{,u}random and, when available, runs under an # unprivilged, dedicated user).