snap-documentserver icon indicating copy to clipboard operation
snap-documentserver copied to clipboard

Published 20 hours ago verified publisher icon ONLYOFFICE

apparmor issues in snap

Open ahcm opened this issue 2 years ago • 9 comments 

[527108.819297] audit: type=1400 audit(1652772942.981:71): apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.mysql" name="/bin/systemctl" pid=929284 comm="mysql.server" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[527111.148204] audit: type=1400 audit(1652772945.313:72): apparmor="DENIED" operation="chmod" profile="snap.onlyoffice-ds.mysql"name="/tmp/" pid=929377 comm="chmod" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[527111.213828] audit: type=1400 audit(1652772945.377:73): apparmor="DENIED" operation="open" profile="snap.onlyoffice-ds.mysql" name="/etc/mysql/mariadb.cnf" pid=929432 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[527111.225913] audit: type=1400 audit(1652772945.389:74): apparmor="DENIED" operation="chmod" profile="snap.onlyoffice-ds.mysql"name="/tmp/" pid=929444 comm="chmod" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[527111.275668] audit: type=1400 audit(1652772945.441:75): apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.mysql" name="/bin/systemctl" pid=929502 comm="mysql.server" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[527111.291022] audit: type=1400 audit(1652772945.453:76): apparmor="DENIED" operation="open" profile="snap.onlyoffice-ds.mysql" name="/etc/mysql/mariadb.cnf" pid=929529 comm="my_print_defaul" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[527111.316492] audit: type=1400 audit(1652772945.481:77): apparmor="DENIED" operation="open" profile="snap.onlyoffice-ds.mysql" name="/etc/mysql/mariadb.cnf" pid=929578 comm="my_print_defaul" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[527111.429281] audit: type=1400 audit(1652772945.593:78): apparmor="DENIED" operation="open" profile="snap.onlyoffice-ds.mysql" name="/etc/mysql/mariadb.cnf" pid=929833 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[527112.635586] audit: type=1400 audit(1652772946.801:79): apparmor="DENIED" operation="capable" profile="snap.onlyoffice-ds.rabbitmq" pid=930073 comm="async_54" capability=1  capname="dac_override"
[527113.958263] audit: type=1400 audit(1652772948.121:80): apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.rabbitmq" name="/bin/df" pid=930211 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[527233.978724] audit: type=1400 audit(1652773068.147:81): apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.rabbitmq" name="/bin/df" pid=930421 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[527353.980678] audit: type=1400 audit(1652773188.149:82): apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.rabbitmq" name="/bin/df" pid=930854 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

ahcm avatar May 17 '22 08:05 ahcm

Hi, please add details in your report

How did you configured AppArmor, which system do you use, all the stuff that help us reproduce the problem

ShockwaveNN avatar May 17 '22 08:05 ShockwaveNN 

$ snap list | grep onlyoffice
onlyoffice-ds  7.0.1          71     latest/stable  onlyoffice*  -

ahcm avatar May 17 '22 08:05 ahcm

Once again, please describe step-by-step scenario on how to reproduce your problem

Which is the system you've using as the host, how did you setup your AppArmor

We are not wizards (and not a support) and the more info you get to us - the easier will be to help you

ShockwaveNN avatar May 17 '22 08:05 ShockwaveNN

Well, install the snap on a Ubuntu 20.04.

The apparmor is configured by the snap. You make the snap. Your snap is the problem. The problem should happen on any system, as far as I know.

ahcm avatar May 17 '22 08:05 ahcm

Hello @ahcm, thank you for report. I reproduced your case and create issue 57872 in our private issue tracker.

igwyd avatar Jun 29 '22 15:06 igwyd

Any progress with this issue?

i am running version "onlyoffice-ds 7.3.3" on Ubuntu 20.04 with the same AppArmor messages.

parmaene avatar Apr 24 '23 16:04 parmaene

Hello @parmaene, unfortunately no news yet. I added your request to update information of the bug.

igwyd avatar Apr 26 '23 07:04 igwyd

I seem to have this too on Ubuntu 22.04.3 LTS

Rhysers avatar Aug 15 '23 15:08 Rhysers

Same on Debian 12 and Ubuntu 24.04. Step to reproduce:

  • sudo -i
  • snap install onlyoffice-ds
  • snap set onlyoffice-ds onlyoffice.example-enabled=true
  • try to open one of demo documents with http://localhost/example/editor?fileName=sample.xlsx and system freeze with lots of logs like this: [...] apparmor="DENIED" operation="exec" profile="snap.onlyoffice-ds.rabbitmq" name="/usr/bin/df" pid=4212 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

redfox7691 avatar Aug 01 '24 14:08 redfox7691