Can osmc run snap packages

Installed snapd using apt, but installing a pre-built armhf snap gives “cannot apply seccomp profile”. Googling that error message seems to indicate some missing kernel compile options. Is snap support planned for a future release?

Hi,

Running strace on the commands you ran could give some clues as to what’s missing.

There aren’t any plans to support snap because we didn’t know such support wasn’t there. If you can let me know if there are any minimal kernel requirements (currently Pi is on 4.14 with 4.19 in staging); and any CONFIG_ options that need to be enabled, I can produce a test build for you and get them in to the next release

Cheers

Sam

Hi Sam, thanks for the prompt response.
The output from strace doesn’t seem to throw up anything useful, but the problem is easily reproducible if you want to take a quick look…

sudo apt install snapd
snap install hello-world
hello-world

Here is the link to a similar report where the kernel settings are mentioned as the problem, though it helpfully doesn’t say what settings!

I’m keen to add support for this, but would need to know what CONFIG_ options need to be enabled. I don’t have enough time to chase this up personally at the moment, and will be on holiday for a few days tomorrow.

Hopefully someone can chime in or we can get more info from the snap forums.

Sam

According to here the kernel needs CONFIG_HAVE_ARCH_SECCOMP_FILTER.

The OSMC Pi kernel only has CONFIG_SECCOMP enabled, whereas a Raspbian (4.14.87+) image I checked has:

CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y

We might also need apparmor for this, and there is no apparmor module in the kernel

Indeed. See config: Add SECCOMP_FILTER and APPARMOR by jcberthon · Pull Request #1698 · raspberrypi/linux · GitHub (Go down to posts from Sept 2019.)

Hopefully we can make it a module to avoid the performance penalty of having it always on

There’s recently been some references in this GitHub thread about the PR’s AppArmor changes being merged in a different kernel version branch, if anyone wants to take a stab at bringing either that kernel version or patchset to OSMC’s kernel. At least IIUC; the thread was kinda hard to follow.

The patch is at configs: Include AppArmor support · raspberrypi/linux@a3e07c5 · GitHub though it’s on a 5.4 kernel. The patch uses Linux Security Modules so can be switched on in /boot/cmdline.txt by adding lsm=apparmor, which is a simple and elegant method of enabling it.

I also found a (Fedora) 4.19 kernel that has AppArmor permanently configured. Searching for apparmor in the kernel config file gives this:

$ grep -i apparmor config-4.19.0-11-amd64
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
1 Like

This issue should now be fixed with the 5.10 kernel which will be in the next update.

I can confirm that apparmor is now enabled by adding lsm=apparmor to /boot/cmdline.txt (and then rebooting).

osmc@osmc:~$ sudo aa-status
apparmor module is loaded.
12 profiles are loaded.
12 profiles are in enforce mode.
   /usr/bin/lxc-start
   /usr/bin/man
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   lxc-container-default
   lxc-container-default-cgns
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/ntpd (499) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

As to snap, I can at least confirm that the missing SECCOMP kernel options have now been enabled.

osmc@osmc:~$ grep SECCOMP /boot/config-5.10.22-2-osmc 
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

Unfortunately, snapd fails to start.

osmc@osmc:~$ systemctl status snapd
● snapd.service - Snappy daemon
   Loaded: loaded (/lib/systemd/system/snapd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Sat 2021-04-03 21:45:11 UTC; 14s ago
  Process: 830 ExecStart=/usr/lib/snapd/snapd (code=exited, status=42)
 Main PID: 830 (code=exited, status=42)