cvescan fails due to lack of networking when confined about sec-cvescan HOT 28 CLOSED

I'm not sure what is special about this VM; we're hitting a security policy, perhaps?

What is the output of $ sudo journalctl |grep audit at the time of the failure?

from sec-cvescan.

For me it works fine in xenial VMs but I am able to reproduce the problem in trusty and here is the output:

Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:32): apparmor="DENIED" operation="create" profile="snap.cvescan.cvescan" pid=1800 comm="curl" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:33): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/etc/host.conf" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.662:34): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/run/resolvconf/resolv.conf" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.666:35): apparmor="DENIED" operation="open" profile="snap.cvescan.cvescan" name="/etc/hosts" pid=1801 comm="curl" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 19 14:41:49 sec-trusty-amd64 kernel: audit: type=1400 audit(1582141309.666:36): apparmor="DENIED" operation="create" profile="snap.cvescan.cvescan" pid=1801 comm="curl" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"

from sec-cvescan.

These are all included when plugging 'network', which is auto-connected. What is the output of:

$ snap connections cvescan

from sec-cvescan.

Interface Plug Slot Notes
home cvescan:home - -
network cvescan:network - -
system-files cvescan:apt-dpkg-db - -

from sec-cvescan.

@markmorlino - in your case the network interface is not connected. Please use sudo snap connect cvescan:network.

That said, what is the output of snap version.

from sec-cvescan.

$ sudo snap connect cvescan:network
error: cannot resolve connection, slot snap name is empty

$ sudo snap connect cvescan:home
error: cannot resolve connection, slot snap name is empty

$ sudo snap connect cvescan:apt-dpkg-db
error: cannot resolve connection, slot snap name is empty

$ snap version
snap    2.38~14.04
snapd   2.38~14.04
series  16
ubuntu  14.04
kernel  4.4.0-174-generic

from sec-cvescan.

@markmorlino - your snapd is too old. What happens if you do:

$ sudo snap refresh
$ snap version

from sec-cvescan.

$ sudo snap refresh
All snaps up to date.

snap version output is the same

from sec-cvescan.

@markmorlino - that seems odd. This seems like something for the snapd team. Perhaps @mvo5 or @anonymouse64 can comment?

from sec-cvescan.

@markmorlino - what is the output of cat /proc/version_signature?

from sec-cvescan.

$ cat /proc/version_signature 
Ubuntu 4.4.0-174.204~14.04.1-generic 4.4.211

from sec-cvescan.

Oh, maybe you don't have the core snap installed. What is the output of snap list?

from sec-cvescan.

$ snap list
Name     Version   Rev   Tracking  Publisher    Notes
core18   20200124  1668  stable    canonical✓   base
cvescan  1.0.1     6     stable    markmorlino  -

from sec-cvescan.

Right, so, locally, I installed snapd, then rebooted into the new kernel and snap list showed no snaps. If I 'snap install cvescan', that pulls down the core18 snap since cvescan uses 'base: core18', but it doesn't pull down the 'core' snap. The snapd in trusty (2.38~14.04) only knows about re-execing into the 'core' snap, not 'core18'. So I did:

$ sudo snap install core
$ sudo snap install cvescan
$ snap connections cvescan
Interface     Plug                 Slot           Notes
home          cvescan:home         :home          -
network       cvescan:network      :network       -
system-files  cvescan:apt-dpkg-db  :system-files  -

and everything worked. I think all you need to do is:

$ sudo snap remove cvescan
$ sudo snap install core
$ sudo snap install cvescan

and you'll find that the 3 interfaces auto-connect (from the state you are currently in, you probably have to manually connect them if you just install core, which is why I suggested first removing cvescan).

from sec-cvescan.

💯 👍 that seems to make it work @jdstrand thanks!

Do you think @kiko-canonical was having the same issue under xenial (the behavior seemed the same)?

Do you still think this is something for the snapd team? It seems like core should get installed automatically if it needs to be there.

from sec-cvescan.

Could be if cvescan was the only snap that was downloaded. On a fresh install:

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial
$ snap list
No snaps are installed yet. Try 'snap install hello-world'.

I know @mvo5 and the snapd team are aware of the issue, and I thought that they might've fixed it, but it could be that the trusty snapd deb needs an update to know to pull down core. @mvo5 - the issue in a nutshell is that trusty and xenial don't rexec since there is no core snap installed, and snap install cvescan only pulls in core18, but this snap needs things from newer snapds to work. Is it possible to adjust trusty/xenial to pull down core in these situations?

from sec-cvescan.

@markmorlino - a totally not great workaround would be to use 'base: core' in cvescan.

from sec-cvescan.

@jdstrand yes I agree I think we need a new snapd deb in xenial and trusty because AFAIK we fixed this bug in newer snapd versions, but since the deb package is too old it doesn't have the fix.

from sec-cvescan.

Actually, xenial's deb is smart enough to pull down the 'snapd' snap and reexec into it:

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial
$ snap list
No snaps are installed yet. Try 'snap install hello-world'.
$ sudo snap install cvescan
$ sudo snap list
Name     Version   Rev   Tracking  Publisher    Notes
core18   20200124  1668  stable    canonical✓   base
cvescan  1.0.1     6     stable    markmorlino  -
snapd    2.43.3    6434  stable    canonical✓   snapd
$ snap version
snap    2.43.3
snapd   2.43.3
series  16
ubuntu  16.04
kernel  4.4.0-173-generic
$ snap connections cvescan
Interface     Plug                 Slot           Notes
home          cvescan:home         :home          -
network       cvescan:network      :network       -
system-files  cvescan:apt-dpkg-db  :system-files  -

That said, my vm has xenial-updates. @kiko-canonical - what is the output of apt-cache policy snapd? The one that is in xenial-security is 2.37.4ubuntu0.1 (ie, older than trusty). If that machine only has xenial-security and not xenial-updates, we would need to do a no change rebuild and push through xenial-security.

from sec-cvescan.

If that machine only has xenial-security and not xenial-updates, we would need to do a no change rebuild and push through xenial-security.

This is also theoretically true for trusty. I say theoretically because I'm not sure that newer snapd's will build on trusty at this point. We would have to weigh the cost of putting a whole new snapd in ESM (and supporting toolchain) against cherrypicking the new behavior.

from sec-cvescan.

from sec-cvescan.

from sec-cvescan.

@kiko-canonical - thanks for the info. One more question, what is the output of apt-cache policy snapd?

from sec-cvescan.

from sec-cvescan.

Thanks for this bugreport and update. It looks like the VM is not having the updated snapd installed, only the older version from security. I wonder if we can refresh the cloud image to have a newer snapd by default? About trusty, we still build/test snapd on trusty, I can ensure we do another upload so that the latest fixes for this get in (we do not SRU to trusty anymore by default as it's EOL but we still keep it working and make exceptions for SRUs).

from sec-cvescan.

Fwiw, I see snapfuse consume cpu after "maas init" has finished, looking further it looks like there are a ton of "supervisorctl status" and "supervisorctl restart" comands in ps. When I count them I see >200 supervisorctl restart commands for various services like syslog, ntp, proxy. The number also seems to be growing, i..e it's 240 now (so grew by 40 in the time I needed to write these sentences).

from sec-cvescan.

Just to ensure things are fine on 14.04 as well I did a new SRU of snapd on trusty with 2.43.3. This will install the snapd snap automatically so everyone wil lget the benefit of re-exec and auto-refreshes of the snapd snap. This should fix the manual steps that @markmorlino had to do.

from sec-cvescan.

from sec-cvescan.