network namespaces

Luca Dionisi luca.dionisi at gmail.com
Tue Feb 21 11:39:16 UTC 2017 

Are network namespaces supported in snaps?

In my RaspberryPi3 I have a snap which has been installed with --devmode.
Inside the snap I have exposed the command 'bash'. I exec that bash as
root. Then I try to create a network namespace. It fails.

$ sudo myapp.bash
# ip netns add ns0
open("/proc/self/ns/net"): Permission denied
#

Trying to debug this issue, 'dmesg' reports:

[  202.210399] audit_printk_skb: 9 callbacks suppressed
[  202.210424] audit: type=1400 audit(1487674887.359:141):
apparmor="ALLOWED" operation="exec" profile="snap.myapp.bash"
name="/bin/ip" pid=1440 comm="bash" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0 target="snap.myapp.bash//null-/bin/ip"
[  202.213971] audit: type=1400 audit(1487674887.363:142):
apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip" name="/etc/ld.so.cache"
pid=1440 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  202.214143] audit: type=1400 audit(1487674887.363:143):
apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/libdl-2.23.so" pid=1440 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  202.214578] audit: type=1400 audit(1487674887.363:144):
apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/libc-2.23.so" pid=1440 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  202.215355] audit: type=1400 audit(1487674887.363:145):
apparmor="ALLOWED" operation="file_mprotect"
profile="snap.myapp.bash//null-/bin/ip" name="/bin/ip" pid=1440
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  202.215462] audit: type=1400 audit(1487674887.363:146):
apparmor="ALLOWED" operation="file_mprotect"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/ld-2.23.so" pid=1440 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[  202.215924] audit: type=1400 audit(1487674887.367:147):
apparmor="ALLOWED" operation="create"
profile="snap.myapp.bash//null-/bin/ip" pid=1440 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
[  202.216035] audit: type=1400 audit(1487674887.367:148):
apparmor="ALLOWED" operation="setsockopt"
profile="snap.myapp.bash//null-/bin/ip" pid=1440 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="setopt"
denied_mask="setopt"
[  202.216087] audit: type=1400 audit(1487674887.367:149):
apparmor="ALLOWED" operation="setsockopt"
profile="snap.myapp.bash//null-/bin/ip" pid=1440 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="setopt"
denied_mask="setopt"
[  202.216145] audit: type=1400 audit(1487674887.367:150):
apparmor="ALLOWED" operation="bind"
profile="snap.myapp.bash//null-/bin/ip" pid=1440 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="bind"
denied_mask="bind"


And 'snappy-debug.security scanlog' reports:

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="exec" profile="snap.myapp.bash"
name="/bin/ip" pid=1572 comm="bash" requested_mask="x" denied_mask="x"
fsuid=0 ouid=0 target="snap.myapp.bash//null-/bin/ip"
File: /bin/ip (exec)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip" name="/etc/ld.so.cache"
pid=1572 comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /etc/ld.so.cache (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA,
$SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/libdl-2.23.so" pid=1572 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /lib/arm-linux-gnueabihf/libdl-2.23.so (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA,
$SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="open"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/libc-2.23.so" pid=1572 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /lib/arm-linux-gnueabihf/libc-2.23.so (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA,
$SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="file_mprotect"
profile="snap.myapp.bash//null-/bin/ip" name="/bin/ip" pid=1572
comm="ip" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /bin/ip (read)
Suggestions:
* adjust snap to ship 'ip'
* adjust program to use relative paths if the snap already ships 'ip'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="file_mprotect"
profile="snap.myapp.bash//null-/bin/ip"
name="/lib/arm-linux-gnueabihf/ld-2.23.so" pid=1572 comm="ip"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /lib/arm-linux-gnueabihf/ld-2.23.so (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA,
$SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="create"
profile="snap.myapp.bash//null-/bin/ip" pid=1572 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
Suggestion:
* add one of 'account-control, network-control' to 'plugs'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="setsockopt"
profile="snap.myapp.bash//null-/bin/ip" pid=1572 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="setopt"
denied_mask="setopt"
Suggestion:
* add one of 'account-control, network-control' to 'plugs'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="setsockopt"
profile="snap.myapp.bash//null-/bin/ip" pid=1572 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="setopt"
denied_mask="setopt"
Suggestion:
* add one of 'account-control, network-control' to 'plugs'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="bind"
profile="snap.myapp.bash//null-/bin/ip" pid=1572 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="bind"
denied_mask="bind"
Suggestion:
* add one of 'account-control, network-control' to 'plugs'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="getsockname"
profile="snap.myapp.bash//null-/bin/ip" pid=1572 comm="ip"
family="netlink" sock_type="raw" protocol=0 requested_mask="getattr"
denied_mask="getattr"
Suggestion:
* add one of 'account-control, network-control' to 'plugs'

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="open" info="Failed name lookup -
disconnected path" error=-13 profile="snap.myapp.bash//null-/bin/ip"
name="" pid=1572 comm="ip" requested_mask="r" denied_mask="r" fsuid=0
ouid=0

= AppArmor =
Time: Feb 21 11:17:49
Log: apparmor="ALLOWED" operation="getattr" info="Failed name lookup -
disconnected path" error=-13 profile="snap.myapp.bash//null-/bin/ip"
name="dev/pts/0" pid=1572 comm="ip" requested_mask="r" denied_mask="r"
fsuid=0 ouid=1000



My environment (from snap list):

Name                        Version       Rev   Developer  Notes
core                        16.04.1       1083  canonical  -
pi2-kernel                  4.4.0-1030-3  22    canonical  -
pi3                         16.04-0.5     6     canonical  -
snappy-debug                0.29          27    canonical  -

Regards
--Luca

More information about the Snapcraft mailing list