| Guest53 | Hello Since snapd v2.63 my journalctl is flooded by SECCOMP violations I don't know how to avoid each syscall to kernel space adding an entry to journalctl. Any help would be appreciate | 14:45 |
|---|---|---|
| amurray | Guest53: can you provide any more details? | 14:47 |
| Guest53 | Sure ! | 15:01 |
| Guest53 | here's what return snappy-debug | 15:01 |
| Guest53 | ``` = Seccomp = | 15:02 |
| Guest53 | Time: Jul 30 15:00:49 | 15:02 |
| Guest53 | Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1310 comm="MapperNode" exe="myapp" sig=0 arch=c00000b7 64(write) compat=0 ip=0xffff8c4539bc code=0x7ffc0000 | 15:02 |
| Guest53 | Syscall: write | 15:02 |
| Guest53 | It looks like since 2.63 version of snapd plugs and interfaces of each of myapp trigger a syscall that is catched by kauditd daemon whereas in previous version it was not the case | 15:05 |
| amurray | if this is related to snapd shouldn't myapp be named snap.myapp at least? | 15:07 |
| Guest53 | I can't show the real path of myapp due to industrial property I can't share but you are right the pas start with /snap/path_to_my_app | 15:12 |
| Guest53 | the app is mainly a ROS application | 15:13 |
| amurray | ah righto - can you share what interfaces the snap is using? | 15:17 |
| Guest53 | sorry it took me times to obfuscate: | 15:29 |
| Guest53 | Interface Plug Slot Notes | 15:30 |
| Guest53 | can-bus can-utils:can-bus :can-bus manual | 15:30 |
| Guest53 | can-bus myapp-core:can-bus :can-bus manual | 15:30 |
| Guest53 | content[configuration] myapp-XX:cfg myapp-core:cfg manual | 15:30 |
| Guest53 | content[configuration] myapp-YY:cfg myapp-core:cfg manual | 15:30 |
| Guest53 | content[statics] myapp-core:control-center myapp-control:control manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-AC:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-AP:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-platform:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-RP:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-SI:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-SP:lib manual | 15:30 |
| Guest53 | content[librairies] myapp-core:lib myapp-WS:lib manual | 15:30 |
| Guest53 | content[statics] myapp-core:MC myapp-MH:myapp-MH manual | 15:30 |
| Guest53 | content[packages] myapp-core:pkg myapp-AC:pkg manual | 15:30 |
| Guest53 | content[packages] myapp-core:pkg myapp-AP:pkg manual | 15:30 |
| Guest53 | content[packages] myapp-core:pkg myapp-PF:pkg manual | 15:30 |
| Guest53 | content[packages] myapp-core:pkg myapp-RP:pkg manual | 15:30 |
| Guest53 | network myapp-timesync:network :network - | 15:30 |
| Guest53 | network-bind can-utils:network-bind :network-bind - | 15:30 |
| Guest53 | network-bind myapp-core:network-bind :network-bind - | 15:30 |
| Guest53 | network-bind myapp-PF:network-bind :network-bind - | 15:30 |
| Guest53 | network-bind myapp-RP:network-bind :network-bind - | 15:30 |
| Guest53 | network-bind myapp-SP:network-bind :network-bind - | 15:30 |
| Guest53 | network-bind myapp-timesync:network-bind :network-bind - | 15:30 |
| Guest53 | shutdown myapp-core:shutdown :shutdown manual | 15:30 |
| Guest53 | snapd-control myapp-core:snapd-control :snapd-control manual | 15:30 |
| Guest53 | system-files myapp-core:netplan-setup :system-files manual | 15:30 |
| Guest53 | system-observe myapp-core:system-observe :system-observe manual | 15:30 |
| Guest53 | system-observe snappy-debug:system-observe :system-observe - | 15:30 |
| Guest53 | time-control myapp-core:time-control :time-control manual | 15:30 |
| Guest53 | time-control myapp-timesync:time-control :time-control manual | 15:30 |
| Guest53 | timeserver-control myapp-core:timeserver-control :timeserver-control manual | 15:30 |
| Guest53 | timeserver-control myapp-timesync:timeserver-control :timeserver-control manual | 15:30 |
| Guest53 | timezone-control myapp-core:timezone-control :timezone-control manual | 15:30 |
| Guest53 | timezone-control myapp-timesync:timezone-control :timezone-control manual | 15:30 |
| Guest53 | amurray do you think I should connect all "faulty" snap to connect to system-files? | 15:47 |
| amurray | oh wow that is a lot - so I am still a bit baffled by this - in general the base seccomp profile for snapd allows the write syscall - https://github.com/canonical/snapd/blob/master/interfaces/seccomp/template.go#L593 | 15:49 |
| amurray | so this shouldn't be happening | 15:50 |
| amurray | oh you're not here anymore... | 15:50 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!