Ubuntu
snapd package

  1. Bug #1964636
  2. Comment #2

Comment 2 for bug 1964636

Revision history for this message
John Johansen (jjohansen) wrote :

This is failing because the apparmor_parser before the 3.0 release would build its capability list from the installed kernel headers. The apparmor_parser here was built against a kernel without support for cap 'bpf'

root@priv:~# apparmor_parser -V
AppArmor parser version 2.13.3
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2018 Canonical Ltd.

This was fixed in 3.0 by having a static caps list (with full mapping info) and the dynamic auto-generated list (against the kernel headers) that is used to check that the static list has not become stale. In addition the parser can pull kernel supported caps straight from the apparmor kernel module (it will however be missing the mapping info).

To fix similar issues upstream a limited version of the 3.0 fix was backported to 2.13. And release in 2.13.5.

Ideally we would pull 2.13.6 in but at a minimum we need to pick
  726c3fc1 parser: Make sure apparmor can build on old kernels
  3f8cfac3 parser/Makefile: fix generated cap comparison against known list
  ad45b807 parser: add CAP_BPF/PERFMON; convert to pregenerated cap list
  cd4a1613 Add CAP_BPF and CAP_PERFMON to severity.db
  60007d3f parser: Add warning to capability_table about the need to update the Makefile
  ef8d5141 parser/Makefile: use LC_ALL=C when invoking sed
  4e194b2f parser: unify capability name handling
  ed61e482 parser: cleanup capability_table generation by dropping cap sys_log
  efb6952e parser: Move to a pre-generated cap_names.h

Now for the bits I didn't quite figure out:
 - Why does snapd think that the parser supports `bpf` when it in fact doesn't?

My guess is that its checking the kernel for support of bpf and not the parser.

 - Why does this only seem to hit with `distrobuilder`, testing with `hello-world` doesn't hit this issue though we've seen similar behavior from the `go` snap, is it a bug that only triggers on classic snaps?

my guess is that it will depend on what connections (plugs) are used. Classic snaps in general shouldn't trigger this because they are run unconfined, but LXD triggers it because it has its own profile. Only snaps that plug a connection that requires bpf would trigger this.