Comments (28)
I'm not sure what is special about this VM; we're hitting a security policy, perhaps?
What is the output of $ sudo journalctl |grep audit
at the time of the failure?
from sec-cvescan.
For me it works fine in xenial VMs but I am able to reproduce the problem in trusty and here is the output:
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:32): apparmor="DENIED" operation="create" profile="snap.cvescan.cvescan" pid=1800 comm="curl" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:33): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/etc/host.conf" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:34): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/run/resolvconf/resolv.conf" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.666:35): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/etc/hosts" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.666:36): apparmor="DENIED" operation="create" profile="snap.cvescan.cvescan" pid=1801 comm="curl" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
from sec-cvescan.
These are all included when plugging 'network', which is auto-connected. What is the output of:
$ snap connections cvescan
from sec-cvescan.
Interface Plug Slot Notes
home cvescan:home - -
network cvescan:network - -
system-files cvescan:apt-dpkg-db - -
from sec-cvescan.
@markmorlino - in your case the network interface is not connected. Please use sudo snap connect cvescan:network
.
That said, what is the output of snap version
.
from sec-cvescan.
$ sudo snap connect cvescan:network
error: cannot resolve connection, slot snap name is empty
$ sudo snap connect cvescan:home
error: cannot resolve connection, slot snap name is empty
$ sudo snap connect cvescan:apt-dpkg-db
error: cannot resolve connection, slot snap name is empty
$ snap version
snap 2.38~14.04
snapd 2.38~14.04
series 16
ubuntu 14.04
kernel 4.4.0-174-generic
from sec-cvescan.
@markmorlino - your snapd is too old. What happens if you do:
$ sudo snap refresh
$ snap version
from sec-cvescan.
$ sudo snap refresh
All snaps up to date.
snap version output is the same
from sec-cvescan.
@markmorlino - that seems odd. This seems like something for the snapd team. Perhaps @mvo5 or @anonymouse64 can comment?
from sec-cvescan.
@markmorlino - what is the output of cat /proc/version_signature
?
from sec-cvescan.
$ cat /proc/version_signature
Ubuntu 4.4.0-174.204~14.04.1-generic 4.4.211
from sec-cvescan.
Oh, maybe you don't have the core snap installed. What is the output of snap list
?
from sec-cvescan.
$ snap list
Name Version Rev Tracking Publisher Notes
core18 20200124 1668 stable canonical✓ base
cvescan 1.0.1 6 stable markmorlino -
from sec-cvescan.
Right, so, locally, I installed snapd, then rebooted into the new kernel and snap list
showed no snaps. If I 'snap install cvescan', that pulls down the core18 snap since cvescan uses 'base: core18', but it doesn't pull down the 'core' snap. The snapd in trusty (2.38~14.04) only knows about re-execing into the 'core' snap, not 'core18'. So I did:
$ sudo snap install core
$ sudo snap install cvescan
$ snap connections cvescan
Interface Plug Slot Notes
home cvescan:home :home -
network cvescan:network :network -
system-files cvescan:apt-dpkg-db :system-files -
and everything worked. I think all you need to do is:
$ sudo snap remove cvescan
$ sudo snap install core
$ sudo snap install cvescan
and you'll find that the 3 interfaces auto-connect (from the state you are currently in, you probably have to manually connect them if you just install core, which is why I suggested first removing cvescan).
from sec-cvescan.
💯 👍 that seems to make it work @jdstrand thanks!
Do you think @kiko-canonical was having the same issue under xenial (the behavior seemed the same)?
Do you still think this is something for the snapd team? It seems like core should get installed automatically if it needs to be there.
from sec-cvescan.
Could be if cvescan was the only snap that was downloaded. On a fresh install:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
$ snap list
No snaps are installed yet. Try 'snap install hello-world'.
I know @mvo5 and the snapd team are aware of the issue, and I thought that they might've fixed it, but it could be that the trusty snapd deb needs an update to know to pull down core. @mvo5 - the issue in a nutshell is that trusty and xenial don't rexec since there is no core snap installed, and snap install cvescan only pulls in core18, but this snap needs things from newer snapds to work. Is it possible to adjust trusty/xenial to pull down core in these situations?
from sec-cvescan.
@markmorlino - a totally not great workaround would be to use 'base: core' in cvescan.
from sec-cvescan.
@jdstrand yes I agree I think we need a new snapd deb in xenial and trusty because AFAIK we fixed this bug in newer snapd versions, but since the deb package is too old it doesn't have the fix.
from sec-cvescan.
Actually, xenial's deb is smart enough to pull down the 'snapd' snap and reexec into it:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
$ snap list
No snaps are installed yet. Try 'snap install hello-world'.
$ sudo snap install cvescan
$ sudo snap list
Name Version Rev Tracking Publisher Notes
core18 20200124 1668 stable canonical✓ base
cvescan 1.0.1 6 stable markmorlino -
snapd 2.43.3 6434 stable canonical✓ snapd
$ snap version
snap 2.43.3
snapd 2.43.3
series 16
ubuntu 16.04
kernel 4.4.0-173-generic
$ snap connections cvescan
Interface Plug Slot Notes
home cvescan:home :home -
network cvescan:network :network -
system-files cvescan:apt-dpkg-db :system-files -
That said, my vm has xenial-updates. @kiko-canonical - what is the output of apt-cache policy snapd
? The one that is in xenial-security is 2.37.4ubuntu0.1 (ie, older than trusty). If that machine only has xenial-security and not xenial-updates, we would need to do a no change rebuild and push through xenial-security.
from sec-cvescan.
If that machine only has xenial-security and not xenial-updates, we would need to do a no change rebuild and push through xenial-security.
This is also theoretically true for trusty. I say theoretically because I'm not sure that newer snapd's will build on trusty at this point. We would have to weigh the cost of putting a whole new snapd in ESM (and supporting toolchain) against cherrypicking the new behavior.
from sec-cvescan.
from sec-cvescan.
from sec-cvescan.
@kiko-canonical - thanks for the info. One more question, what is the output of apt-cache policy snapd
?
from sec-cvescan.
from sec-cvescan.
Thanks for this bugreport and update. It looks like the VM is not having the updated snapd installed, only the older version from security. I wonder if we can refresh the cloud image to have a newer snapd by default? About trusty, we still build/test snapd on trusty, I can ensure we do another upload so that the latest fixes for this get in (we do not SRU to trusty anymore by default as it's EOL but we still keep it working and make exceptions for SRUs).
from sec-cvescan.
Fwiw, I see snapfuse consume cpu after "maas init" has finished, looking further it looks like there are a ton of "supervisorctl status" and "supervisorctl restart" comands in ps. When I count them I see >200 supervisorctl restart commands for various services like syslog, ntp, proxy. The number also seems to be growing, i..e it's 240 now (so grew by 40 in the time I needed to write these sentences).
from sec-cvescan.
Just to ensure things are fine on 14.04 as well I did a new SRU of snapd on trusty with 2.43.3. This will install the snapd snap automatically so everyone wil lget the benefit of re-exec and auto-refreshes of the snapd snap. This should fix the manual steps that @markmorlino had to do.
from sec-cvescan.
from sec-cvescan.
Related Issues (20)
- CVE publish date
- deb package cvescan HOT 1
- Database Release Version
- Debian compatibility HOT 2
- Scan shows vulnerable if some patched packages are installed from PPA HOT 1
- Mismatch between oval and cvescan
- Vulnerability database used by cvescan not the same as the Oval data thus missing some vulnerable packages during scan
- cloud-init package listed as fixable, but not yet available in official repositories HOT 3
- epoch number might causing inaccurate results
- CVE-2019-3466 outstanding when postgresql-all = 10+190ubuntu0.1
- Database files are out of date HOT 2
- grub related packages reported as vulnerable without a means to fix HOT 3
- CVEscan should catch network issues and not crash HOT 1
- Publish Pypi packages
- CVE data not yet published for Impish Indiri HOT 2
- cvescan on Xenial incorrectly labelling a number of CVEs as still unfixed. HOT 1
- KeyError in parsing recent /var/lib/ubuntu-advantage/status.json HOT 1
- Add support for parsing DISTRIB_CODENAME vs just Ubuntu only HOT 1
- cvescan gives dpkg error on rhel8 HOT 2
- When using manifest, please provide option to specify suite HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sec-cvescan.