Without mount-observe we have the following denial logs from AppArmor:
= AppArmor =
Time: Jun 24 08:47:30
Log: apparmor="DENIED" operation="open" class="file" profile="snap.rt-tests.cyclicdeadline" name="/proc/19557/mounts" pid=19557 comm="cyclicdeadline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/19557/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'
After connecting mount-observe, we have the denials complaining about access to /sys/kernel/debug/tracing/trace_marker, which is solved using the system-trace interface.
= AppArmor =
Time: Jun 24 08:51:07
Log: apparmor="DENIED" operation="open" class="file" profile="snap.rt-tests.cyclicdeadline" name="/sys/kernel/debug/tracing/trace_marker" pid=25153 comm="cyclicdeadline" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
File: /sys/kernel/debug/tracing/trace_marker (write)
Suggestions:
* adjust program to not access '/sys/kernel/debug/tracing/trace_marker'
* add 'system-trace' to 'plugs'
After connecting mount-observe and system-trace to the rt-tests snap, the cyclicdeadline application works without any denials from AppArmor or Seccomp.
Summary
Fixes noncritical AppArmor denials related to
cyclicdeadline
Without
mount-observe
we have the following denial logs from AppArmor:After connecting
mount-observe
, we have the denials complaining about access to/sys/kernel/debug/tracing/trace_marker
, which is solved using thesystem-trace
interface.After connecting
mount-observe
andsystem-trace
to the rt-tests snap, thecyclicdeadline
application works without any denials from AppArmor or Seccomp.