Installed snapd using apt, but installing a pre-built armhf snap gives “cannot apply seccomp profile”. Googling that error message seems to indicate some missing kernel compile options. Is snap support planned for a future release?
Running strace on the commands you ran could give some clues as to what’s missing.
There aren’t any plans to support snap because we didn’t know such support wasn’t there. If you can let me know if there are any minimal kernel requirements (currently Pi is on 4.14 with 4.19 in staging); and any CONFIG_ options that need to be enabled, I can produce a test build for you and get them in to the next release
Hi Sam, thanks for the prompt response.
The output from strace doesn’t seem to throw up anything useful, but the problem is easily reproducible if you want to take a quick look…
sudo apt install snapd
snap install hello-world
Here is the link to a similar report where the kernel settings are mentioned as the problem, though it helpfully doesn’t say what settings!
I’m keen to add support for this, but would need to know what CONFIG_ options need to be enabled. I don’t have enough time to chase this up personally at the moment, and will be on holiday for a few days tomorrow.
Hopefully someone can chime in or we can get more info from the snap forums.
According to here the kernel needs
The OSMC Pi kernel only has
CONFIG_SECCOMP enabled, whereas a Raspbian (4.14.87+) image I checked has:
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_SECCOMP=y
We might also need apparmor for this, and there is no apparmor module in the kernel
Indeed. See config: Add SECCOMP_FILTER and APPARMOR by jcberthon · Pull Request #1698 · raspberrypi/linux · GitHub (Go down to posts from Sept 2019.)
Hopefully we can make it a module to avoid the performance penalty of having it always on
There’s recently been some references in this GitHub thread about the PR’s AppArmor changes being merged in a different kernel version branch, if anyone wants to take a stab at bringing either that kernel version or patchset to OSMC’s kernel. At least IIUC; the thread was kinda hard to follow.
The patch is at configs: Include AppArmor support · raspberrypi/linux@a3e07c5 · GitHub though it’s on a 5.4 kernel. The patch uses Linux Security Modules so can be switched on in /boot/cmdline.txt by adding
lsm=apparmor, which is a simple and elegant method of enabling it.
I also found a (Fedora) 4.19 kernel that has AppArmor permanently configured. Searching for apparmor in the kernel config file gives this:
$ grep -i apparmor config-4.19.0-11-amd64 CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y CONFIG_DEFAULT_SECURITY="apparmor"
This issue should now be fixed with the 5.10 kernel which will be in the next update.
I can confirm that apparmor is now enabled by adding
/boot/cmdline.txt (and then rebooting).
osmc@osmc:~$ sudo aa-status apparmor module is loaded. 12 profiles are loaded. 12 profiles are in enforce mode. /usr/bin/lxc-start /usr/bin/man /usr/sbin/ntpd /usr/sbin/tcpdump lxc-container-default lxc-container-default-cgns lxc-container-default-with-mounting lxc-container-default-with-nesting man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod 0 profiles are in complain mode. 1 processes have profiles defined. 1 processes are in enforce mode. /usr/sbin/ntpd (499) 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
As to snap, I can at least confirm that the missing SECCOMP kernel options have now been enabled.
osmc@osmc:~$ grep SECCOMP /boot/config-5.10.22-2-osmc CONFIG_HAVE_ARCH_SECCOMP=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP=y CONFIG_SECCOMP_FILTER=y
Unfortunately, snapd fails to start.
osmc@osmc:~$ systemctl status snapd ● snapd.service - Snappy daemon Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sat 2021-04-03 21:45:11 UTC; 14s ago Process: 830 ExecStart=/usr/lib/snapd/snapd (code=exited, status=42) Main PID: 830 (code=exited, status=42)