search

canonical / charm-prometheus-libvirt-exporter

A charm that provides per-domain metrics related to CPU, memory, disk and network usage using libvirt exporter.
0 stars 2 forks source link

Libvirt AppArmor profile blocks ptrace call from snap #17

Closed jneo8 closed 9 months ago

jneo8 commented 9 months ago

the exporter uses the libvirt interface. When it is connected even if it is able to collect correctly all the metrics the kernel keeps logging:

Dec 15 11:43:57 peppepetra-XPS-13 kernel: [179654.196285] audit: type=1400 audit(1639565037.354:20192): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"
Dec 15 11:44:10 peppepetra-XPS-13 kernel: [179667.726772] audit: type=1400 audit(1639565050.886:20210): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"
Dec 15 11:44:16 peppepetra-XPS-13 kernel: [179673.103116] audit: type=1400 audit(1639565056.262:20211): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=12766 comm="libvirtd" requested_mask="read" denied_mask="read" peer="snap.prometheus-libvirt-exporter.daemon"

Imported from Launchpad using lp2gh.

jneo8 commented 9 months ago

(by peppepetra) Related bug https://bugs.launchpad.net/snapd/+bug/1954935

jneo8 commented 9 months ago

(by peppepetra) Given that output doesn't change if ptrace is denied or allowed, I propose to fix that with a charm hook that needs to:

  1. Update local/usr.sbin.libvirtd apparmor profile adding: deny ptrace (read) peer=snap.prometheus-libvirt-exporter.daemon,

  2. Reload libvirtd apparmor profile: apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd

Ref. https://wiki.debian.org/AppArmor/HowToUse#Edit_AppArmor_profiles

jneo8 commented 9 months ago

(by jneo8) This bug don't require change in snap