[Plugin] Detect copy operations without the adequate access rights

[slashdd]

Likely due to Linux Security Modules such as apparmor, selinux, ...

Fix: #1662

Signed-off-by: Eric Desrochers eric.desrochers@canonical.com

---

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

• Is the commit message split over multiple lines and hard-wrapped at 72 characters?
• Is the subject and message clear and concise?
• Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
• Does the commit contain a Signed-off-by: First Lastname email@example.com?
• If this commit closes an existing issue, is the line Closes: #ISSUENUMBER included in an independent line?
• If this commit resolves an existing pull request, is the line Resolves: #PRNUMBER included in an independent line?

[slashdd]

Here's an example inside a LXD container with no access to /proc/sys/fs/binfmt_misc

sos.log:2019-11-19 21:43:30,657 ERROR: [plugin:system] _copy_dir: PermissionError: Likely due to Linux Security Modules '/proc/sys/fs/binfmt_misc'

Instead of throwing a raise exception in the form of a traceback:

caught exception in plugin method "system.collect()"
caught exception in plugin method "system.collect()"
writing traceback to sos_logs/system-plugin-errors.txt
writing traceback to sos_logs/system-plugin-errors.txt

cat system-plugin-errors.txt 
Traceback (most recent call last):
  File "/usr/share/sosreport/sos/sosreport.py", line 1052, in collect_plugin
    plug.collect()
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 1334, in collect
    self._collect_copy_specs()
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 1303, in _collect_copy_specs
    self._do_copy_path(path)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 725, in _do_copy_path
    self._copy_dir(srcpath)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 668, in _copy_dir
    self._do_copy_path(os.path.join(srcpath, afile), dest=None)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 725, in _do_copy_path
    self._copy_dir(srcpath)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 668, in _copy_dir
    self._do_copy_path(os.path.join(srcpath, afile), dest=None)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 725, in _do_copy_path
    self._copy_dir(srcpath)
  File "/usr/share/sosreport/sos/plugins/__init__.py", line 665, in _copy_dir
    for afile in os.listdir(srcpath):
PermissionError: [Errno 13] Permission denied: '/proc/sys/fs/binfmt_misc'

[slashdd]

After many re-consideration from my part, I have switched from log_error to log_warn and changed/refined the msg to the following:

sos.log:2019-11-20 00:31:36,663 WARNING: [plugin:system] _copy_dir: /proc/sys/fs/binfmt_misc 'Permission denied likely due to Linux Security Modules (LSM) restrictions'

[slashdd]

lxd source pkg explaining why binfmt is permission denied during sosreport run inside a lxd container.

lxd/apparmor.go

  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
  deny @{PROC}/sys/fs/** wklx,

[BryanQuigley]

+1.

For completeness this goes from:
Starting 47/54 system [Running: processor scsi services system] caught exception in plugin method "system.collect()"
caught exception in plugin method "system.collect()"
writing traceback to sos_logs/system-plugin-errors.txt
writing traceback to sos_logs/system-plugin-errors.txt
Finishing plugins [Running: system]

To:
Starting 47/54 system [Running: networking processor services system] [plugin:system] _copy_dir: '/proc/sys/fs' Permission denied likely due to Linux Security Modules (LSM) restrictions
Finishing plugins [Running: systemd]

Much nicer!

[slashdd]

@bmr-cymru @pmoravec @TurboTurtle I would like to request a review from you guys when time permit.

This make the user experience nicer IMHO. Instead of letting raise throwing an exception.
This exception spew has been an annoyance in Ubuntu due to the binfmt_misc denial in apparmor when inside a LXD container.

[pmoravec]

Sounds good to me. Not sure of proper phrase of the error msg (despite this is what I roughly suggested), but that can be subjective.