search

maxiberta / htop-snap

The `htop` utility packaged as a snap.
MIT License
19 stars 4 forks source link

App armor denies access to `/proc/spl/kstat/zfs/arcstats` #13

Closed csadorf closed 1 year ago

csadorf commented 3 years ago

I've installed htop version 3.0.5 and am running into the issue that htop is not able to access /proc/spl/kstat/zfs/arcstats.

This is an excerpt from the syslog:

[42062.241628] audit: type=1400 audit(1616518163.683:3498): apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats" pid=872438 comm="htop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

The effect is also noticeable within the interface, where all ZFS ARC related meters are disfunctional. 

$ snap info htop
name:      htop
summary:   Interactive processes viewer
publisher: Maximiliano Bertacchini (maxiberta)
store-url: https://snapcraft.io/htop
contact:   https://github.com/maxiberta/htop-snap/issues
license:   GPL-2.0
description: |
  `htop` is an ncurses-based process viewer similar to top, but it allows one to scroll the list
  vertically and horizontally to see all processes and their full command lines. Tasks related to
  processes (killing, renicing) can be done without entering their PIDs.

  Once installed, this snap can _optionally_ be connected to some extra plugs (permissions):

     sudo snap connect htop:hardware-observe  # temperature+battery status
     sudo snap connect htop:mount-observe
     sudo snap connect htop:network-control  # DELAYACCT

  Main website: https://htop.dev/
commands:
  - htop
snap-id:      hJmReLmgXSUj4SF7WhyTVRV6IzUa4QUZ
tracking:     latest/stable
refresh-date: today at 05:30 CET
channels:
  latest/stable:    3.0.5              2021-01-28 (2184) 16MB -
  latest/candidate: 3.0.5              2021-01-28 (2184) 16MB -
  latest/beta:      ↑
  latest/edge:      3.0.5-189-g7b293dc 2021-03-22 (2470) 16MB -
installed:          3.0.5                         (2184) 16MB -
maxiberta commented 3 years ago

Hi! As you already found, this needs snapd support. I reported it myself some time ago in the snapcraft forum with no updates so far. Thanks for keeping that thread alive!

katian commented 3 years ago

hello, same issue here (Ubuntu 20.04.3)

name:      htop
summary:   Interactive processes viewer
publisher: Maximiliano Bertacchini (maxiberta)
store-url: https://snapcraft.io/htop
contact:   https://github.com/maxiberta/htop-snap/issues
license:   GPL-2.0
description: |
  `htop` is an ncurses-based process viewer similar to top, but it allows one to scroll the list
  vertically and horizontally to see all processes and their full command lines. Tasks related to
  processes (killing, renicing) can be done without entering their PIDs.

  Once installed, this snap can _optionally_ be connected to some extra plugs (permissions):

     sudo snap connect htop:mount-observe
     sudo snap connect htop:network-control  # DELAYACCT

  Main website: https://htop.dev/
commands:
  - htop
snap-id:      hJmReLmgXSUj4SF7WhyTVRV6IzUa4QUZ
tracking:     latest/stable
refresh-date: aujourd'hui à 17h25, heure des Rocheuses
channels:
  latest/stable:    3.1.1             2021-10-14 (3233) 9MB -
  latest/candidate: 3.1.1             2021-10-14 (3233) 9MB -
  latest/beta:      ↑                                       
  latest/edge:      3.1.1-16-ge64269d 2021-11-03 (3301) 9MB -
installed:          3.1.1                        (3233) 9MB -
maxiberta commented 2 years ago

These PRs should fix most denials and should be included in snapd 2.56: https://github.com/snapcore/snapd/pull/11836 and https://github.com/snapcore/snapd/pull/11840.

almightiest commented 1 year ago

This still happens to me in snap v2.58.2 with htop 3.2.2

maxiberta commented 1 year ago

This still happens to me in snap v2.58.2 with htop 3.2.2

What exactly? If apparmor="DENIED" operation="open" profile="snap.htop.htop" name="/proc/spl/kstat/zfs/arcstats", it needs the mount-observe interface manually connected (as in sudo snap connect htop:mount-observe) as per https://github.com/snapcore/snapd/pull/11840.

katian commented 1 year ago

$ sudo apt remove htop $ snap install htop

Apparently I don't have this spam problem anymore.

almightiest commented 1 year ago

$ sudo apt remove htop $ snap install htop

Apparently I don't have this spam problem anymore.

Uninstalling/reinstalling the snap work for me. I couldn't uninstall apt version due to dependencies with ubuntu-server being uninstalled? I had to manually connect to resolve the issue. Thanks!

katian commented 1 year ago

@almightiest 

$ snap version 
snap    2.58.2
snapd   2.58.2
series  16
ubuntu  22.04
kernel  5.19.0-32-generic
Kernel: 5.19.0-32-generic x86_64 bits: 64
Desktop: GNOME 42.5 Distro: Ubuntu 22.04.2 LTS (Jammy Jellyfish)
almightiest commented 1 year ago

I do have the apt version installed, but when I try to remove it says it will also remove ubuntu-server which I don't want. I brought the snap bin location ahead of the usr bin folders so snap apps are priority over apt when executing in user environment. This is resolved after manually connecting.

$ snap version
snap    2.58.2
snapd   2.58.2
series  16
ubuntu  22.04
kernel  5.19.0-32-generic
$ apt-cache show htop
Package: htop
Architecture: amd64
Version: 3.0.5-7build2
Priority: optional
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Daniel Lange <DLange@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 334
Depends: libc6 (>= 2.34), libncursesw6 (>= 6), libnl-3-200 (>= 3.2.7), libnl-genl-3-200 (>= 3.2.7), libtinfo6 (>= 6)
Suggests: lm-sensors, lsof, strace
Filename: pool/main/h/htop/htop_3.0.5-7build2_amd64.deb
Size: 128078
MD5sum: c0e29142235dbfe71966d96d2afe2b28
SHA1: 21afa71a99694c298868e1829299159d815c7179
SHA256: ce8362bb923d011c5ed8ed22022e31b73bc66ce02cb69281218ae96af80cf4df
SHA512: 02b5132f7f7cf5f433eb64711618a80f8851c62dda3cd0b9046d04cfe60ccbdacf1a7f17a7d5d90147f78feef755746c43df5113e5e871a5e851cdce3ed62ac9
Homepage: https://htop.dev/
Description-en: interactive processes viewer
 Htop is an ncursed-based process viewer similar to top, but it
 allows one to scroll the list vertically and horizontally to see
 all processes and their full command lines.
 .
 Tasks related to processes (killing, renicing) can be done without
 entering their PIDs.
Description-md5: 8eb5aa19b3c92a975dc78e2165f6688d
Task: cloud-image, ubuntu-wsl, server, ubuntu-server-raspi, lubuntu-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop, ubuntu-budgie-desktop-raspi