Installed snapd using apt, but installing a pre-built armhf snap gives “cannot apply seccomp profile”. Googling that error message seems to indicate some missing kernel compile options. Is snap support planned for a future release?
Hi,
Running strace on the commands you ran could give some clues as to what’s missing.
There aren’t any plans to support snap because we didn’t know such support wasn’t there. If you can let me know if there are any minimal kernel requirements (currently Pi is on 4.14 with 4.19 in staging); and any CONFIG_ options that need to be enabled, I can produce a test build for you and get them in to the next release
Cheers
Sam
Hi Sam, thanks for the prompt response.
The output from strace doesn’t seem to throw up anything useful, but the problem is easily reproducible if you want to take a quick look…
sudo apt install snapd
snap install hello-world
hello-world
Here is the link to a similar report where the kernel settings are mentioned as the problem, though it helpfully doesn’t say what settings!
I’m keen to add support for this, but would need to know what CONFIG_ options need to be enabled. I don’t have enough time to chase this up personally at the moment, and will be on holiday for a few days tomorrow.
Hopefully someone can chime in or we can get more info from the snap forums.
Sam
According to here the kernel needs CONFIG_HAVE_ARCH_SECCOMP_FILTER.
The OSMC Pi kernel only has CONFIG_SECCOMP enabled, whereas a Raspbian (4.14.87+) image I checked has:
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
We might also need apparmor for this, and there is no apparmor module in the kernel
Hopefully we can make it a module to avoid the performance penalty of having it always on
There’s recently been some references in this GitHub thread about the PR’s AppArmor changes being merged in a different kernel version branch, if anyone wants to take a stab at bringing either that kernel version or patchset to OSMC’s kernel. At least IIUC; the thread was kinda hard to follow.
The patch is at configs: Include AppArmor support · raspberrypi/linux@a3e07c5 · GitHub though it’s on a 5.4 kernel. The patch uses Linux Security Modules so can be switched on in /boot/cmdline.txt by adding lsm=apparmor, which is a simple and elegant method of enabling it.
I also found a (Fedora) 4.19 kernel that has AppArmor permanently configured. Searching for apparmor in the kernel config file gives this:
$ grep -i apparmor config-4.19.0-11-amd64
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
1 Like
This issue should now be fixed with the 5.10 kernel which will be in the next update.
I can confirm that apparmor is now enabled by adding lsm=apparmor to /boot/cmdline.txt (and then rebooting).
osmc@osmc:~$ sudo aa-status
apparmor module is loaded.
12 profiles are loaded.
12 profiles are in enforce mode.
/usr/bin/lxc-start
/usr/bin/man
/usr/sbin/ntpd
/usr/sbin/tcpdump
lxc-container-default
lxc-container-default-cgns
lxc-container-default-with-mounting
lxc-container-default-with-nesting
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
/usr/sbin/ntpd (499)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
As to snap, I can at least confirm that the missing SECCOMP kernel options have now been enabled.
osmc@osmc:~$ grep SECCOMP /boot/config-5.10.22-2-osmc
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
Unfortunately, snapd fails to start.
osmc@osmc:~$ systemctl status snapd
● snapd.service - Snappy daemon
Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sat 2021-04-03 21:45:11 UTC; 14s ago
Process: 830 ExecStart=/usr/lib/snapd/snapd (code=exited, status=42)
Main PID: 830 (code=exited, status=42)