object '/lib/x86_64-linux-gnu/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded

Question

object '/lib/x86_64-linux-gnu/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded

captainwasabi opened this issue 2 years ago · comments

I am getting this error anytime I use an lxc command. i.e.

# lxc list

LXD runs in a snap and I get the following in the audit.log

type=AVC msg=audit(1659985925.205:660842): apparmor="DENIED" operation="open" 
profile="/snap/core/13425/usr/lib/snapd/snap-confine" name="/lib/x86_64-linux-gnu/libsnoopy.so.0.0.0" pid=419713 
comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Bostjan Skufca Jese · Answer 1 · Tue Aug 09 2022 19:52:07 GMT+0800 (China Standard Time)

On which host OS can I reproduce this? Ubuntu 20.04 or 22.04?

captainwasabi · Answer 2 · Tue Aug 09 2022 20:32:08 GMT+0800 (China Standard Time)

I'm on 20.04. However I think this box may have started with 12.04->16.04->18.04->20.04 if that makes a difference. (nte, it doesn't make a difference. I just tried it on a clean install of 20.04 and I got the messages in the log)

Also, this box was recently STIG'd and snoopy was installed after the STIG remediation.

Bostjan Skufca Jese · Answer 3 · Wed Aug 10 2022 08:56:21 GMT+0800 (China Standard Time)

I'll look into this, thanks for the clarification.

These distro-specific issues are something that I'll try to solve with #135.

Bostjan Skufca Jese · Answer 4 · Sun Aug 28 2022 07:53:02 GMT+0800 (China Standard Time)

In short, snapd has a very locked down AppArmor profile, down to listing individual shared libraries that it is allowing to load (/etc/apparmor.d/usr.lib.snapd.snap-confine.real), probably in order to prevent unauthorised random code to run alongside the original code.

On the other hand, Snoopy is exactly what Snap's AppArmor profile is trying to prevent - interposed, "unauthorised" third-party code that runs alongside the original code.

The following (manually) resolves the issue on my side:

# Configure
cat <<EOF > /var/lib/snapd/apparmor/snap-confine/snoopy
#
# Snoopy Command Logger
#
    /lib/x86_64-linux-gnu/libsnoopy.so* mr,

    /dev/pts/ r,
    /proc/*/loginuid r,
    /proc/*/status r,
    /usr/lib/x86_64-linux-gnu/libnss_compat-*.so mr,
    /usr/lib/x86_64-linux-gnu/libnss_nis-*.so mr,
    /usr/lib/x86_64-linux-gnu/libnsl-*.so mr,

    unix (create, connect, send) type=dgram,
    unix (create, connect, send) type=stream,

    /dev/log w,
    /run/systemd/journal/dev-log w,
EOF

# Enable 
apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap-confine.snapd.16292   # This one will probably need adjustment in your environment

PR #245 contains a Snoopy packaging update, and Snoopy 2.5.0rc3 packaged for Ubuntu will have this file included:
https://github.com/a2o/snoopy/blob/master/packaging/deb/extra-files/snapd-apparmor-profile

Caveats:

This AppArmor profile adjustment does not get loaded into your system automatically when package is installed.
There are probably a bunch of rules missing that are needed by other datasources (like ipaddr, tty, rpname or similar).

To be completely honest, I don't have much desire to deal with this further. However, I will gladly accept PRs that improve upon my initial work (updated policy, automatic policy reloading on package install/update).