search

canonical / rt-tests-snap

Snap package of rt-tests
GNU General Public License v2.0
0 stars 1 forks source link

fix: cyclicdeadline missing interface #19

Closed locnnil closed 1 week ago

locnnil commented 2 weeks ago

Summary

Fixes noncritical AppArmor denials related to cyclicdeadline

Without mount-observe we have the following denial logs from AppArmor:

= AppArmor =
Time: Jun 24 08:47:30
Log: apparmor="DENIED" operation="open" class="file" profile="snap.rt-tests.cyclicdeadline" name="/proc/19557/mounts" pid=19557 comm="cyclicdeadline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/19557/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

After connecting mount-observe, we have the denials complaining about access to /sys/kernel/debug/tracing/trace_marker, which is solved using the system-trace interface.

= AppArmor =
Time: Jun 24 08:51:07
Log: apparmor="DENIED" operation="open" class="file" profile="snap.rt-tests.cyclicdeadline" name="/sys/kernel/debug/tracing/trace_marker" pid=25153 comm="cyclicdeadline" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
File: /sys/kernel/debug/tracing/trace_marker (write)
Suggestions:
* adjust program to not access '/sys/kernel/debug/tracing/trace_marker'
* add 'system-trace' to 'plugs'

After connecting mount-observe and system-trace to the rt-tests snap, the cyclicdeadline application works without any denials from AppArmor or Seccomp.

farshidtz commented 1 week ago

Please complete the issue description, explaining the difference in behaviour and the mentioned extra logs. Thanks.