bboozzoo
commented
2 years ago Was the kernel rebuilt with the config from snaps.cfg? I saw that despite the file being dropped into the work dir the kernel was not properly rebuilt and had to run cleanall on it.
FWIW runqemu core-image-minimal nographic slirp:
root@qemux86-64:~# snap debug confinement
[ 104.742134] audit: type=1400 audit(1658320098.069:60): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=308 comm="apparmor_parser"
[ 104.775776] audit: type=1400 audit(1658320098.150:61): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=308 comm="apparmor_parser"
strict
root@qemux86-64:~# snap debug sandbox-features
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:qipcrtr-socket parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
root@qemux86-64:~# 
rpjday
I did a test build, and "snap debug confinement" showed "partial." Is that what I should have expected? Or is there some other command I should run to examine the state of confinement?