search

OpenGATE / Gate

Official public repository of Gate
http://www.opengatecollaboration.org
GNU Lesser General Public License v3.0
236 stars 263 forks source link

Ubuntu 20.04 Snap Version of Gate Permission Issues #636

Closed jamboNum5 closed 1 year ago

jamboNum5 commented 1 year ago

Currently getting permission issues when loading gate on Ubuntu 20.04. These are lab machines that are connected to active directory via SSSD which means the home directory is served from /home/domainName/username. When I run this with a local user that isn't from AD, gate seems to run.

This hasn't been a problem previous, until the last few weeks.

syslog seems to point to /snap/snapd/19993/usr/lib/snapd/snap-confine being the problem. Apparmor has started having issues with this file by the looks of it.

Aug 25 11:06:44 lnx-hostname-1 kernel: [  991.972275] audit: type=1400 audit(1692958004.143:764): apparmor="DENIED" operation="open" profile="/snap/snapd/19993/usr/lib/snapd/snap-confine" name="/home/domainName/aduser/" pid=4016 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=1161348726 ouid=1161348726

I have a print out of what happens when the snap package is ran.

aduser@lnx-hostname-1:~$ export SNAP_CONFINE_DEBUG=1
aduser@lnx-hostname-1:~$ gate
DEBUG: -- snap startup {"stage":"snap-confine enter", "time":"1692958708.081921"}
DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.gate.gate
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core22
DEBUG: ruid: 1161348726, euid: 0, suid: 0
DEBUG: rgid: 227200513, egid: 227200513, sgid: 227200513
DEBUG: apparmor label on snap-confine is: /snap/snapd/19993/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: -- snap startup {"stage":"snap-confine mount namespace start", "time":"1692958708.082310"}
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/gate.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope gate, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: gate
DEBUG: setting up device cgroup
DEBUG: cannot find current tags symbol: /lib/x86_64-linux-gnu/libudev.so.1: undefined symbol: udev_device_has_current_tag
DEBUG: no current tags support present
DEBUG: inspecting type of device: /dev/dri/card1
DEBUG: inspecting type of device: /dev/dri/renderD129
DEBUG: inspecting type of device: /dev/dri/card0
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-DP-1
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-1
DEBUG: cannot get major/minor numbers for syspath /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-HDMI-A-2
DEBUG: inspecting type of device: /dev/dri/renderD128
DEBUG: inspecting type of device: /dev/dma_heap/system
DEBUG: associated snap application process 4292 with device cgroup snap.gate.gate
DEBUG: forked support process 4313
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core22, revision 858 is 7:14
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: found base snap device 7:14 on /usr
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace gate
DEBUG: joining preserved per-user mount namespace
DEBUG: unsharing the mount namespace (per-user)
DEBUG: sc_setup_user_mounts: gate
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.gate
logger.go:92: DEBUG: current mount entries
logger.go:92: DEBUG: desired mount entries (sorted)
logger.go:92: DEBUG: - /run/user/1161348726/doc/by-app/snap.gate /run/user/1161348726/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:92: DEBUG: desiredIDs: map[/run/user/1161348726/doc:true]
logger.go:92: DEBUG: reuse: map[]
logger.go:92: DEBUG: processing mount entries
logger.go:92: DEBUG: adding independent entry: /run/user/1161348726/doc/by-app/snap.gate /run/user/1161348726/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:92: DEBUG: all mimics:
logger.go:92: DEBUG: mount entries ordered as they will be applied
logger.go:92: DEBUG: - /run/user/1161348726/doc/by-app/snap.gate /run/user/1161348726/doc none bind,rw,x-snapd.ignore-missing 0 0
logger.go:92: DEBUG: mount name:"/run/user/1161348726/doc/by-app/snap.gate" dir:"/run/user/1161348726/doc" type:"none" opts:MS_BIND unparsed:"" (error: <nil>)
DEBUG: snap-update-ns finished successfully
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: NOT preserving per-user mount namespace
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:227200513 (change: yes)
DEBUG: moved process 4292 to cgroup hierarchy /sys/fs/cgroup/freezer/snap.gate
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 4313)
DEBUG: waiting for response from helper
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: helper process exiting
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: -- snap startup {"stage":"snap-confine mount namespace finish", "time":"1692958708.088930"}
DEBUG: set_effective_identity uid:1161348726 (change: yes), gid:227200513 (change: yes)
DEBUG: creating user data directory: /home/domainName/ADuser/snap/gate/42
cannot create user data directory: /home/domainName/ADuser/snap/gate/42: Permission denied

Any help with this would be great, thanks in advance!

jamboNum5 commented 1 year ago

Looks like a wider issue, setting to closed.

https://github.com/snapcore/snapd/pull/13118