core-base icon indicating copy to clipboard operation
core-base copied to clipboard
verified publisher icon snapcore

core26 - coreutils symlink targets not covered by `defaultCoreRuntimeTemplateRules`

Open fnordahl opened this issue 4 months ago • 1 comments

The core26 snap appears to make use of the GNU coreutils, Ubuntu Questing is moving to a default of the uutils re-implementation of coreutils in Rust, and as a side effect the GNU coreutils binaries are now behind a layer of symlinks.

The snapd defaultCoreRuntimeTemplateRules does not cover this: https://github.com/canonical/snapd/blob/44ef02278af92d3961fe6d8cedf8a4533f5aa53d/interfaces/apparmor/template.go#L507-L676

and as a consequence binaries/scripts with a core26 base are currently not able to execute coreutils tools such as mkdir and readlink.

Log excerpt:

apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.switch" name="/usr/bin/gnumkdir" pid=1328 comm="switch.start" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.switch" name="/usr/bin/gnumkdir" pid=1328 comm="switch.start" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.switch" name="/usr/bin/gnumkdir" pid=1391 comm="switch.start" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.switch" name="/usr/bin/gnumkdir" pid=1391 comm="switch.start" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.ovn-ovsdb-server-nb" name="/usr/bin/gnureadlink" pid=1427 comm="ovn-ctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
apparmor="DENIED" operation="exec" class="file" profile="snap.microovn.ovn-ovsdb-server-nb" name="/usr/bin/gnureadlink" pid=1427 comm="ovn-ctl" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

# ls -l /snap/core26/current/bin/mkdir /snap/core26/current/bin/gnumkdir
-rwxr-xr-x 1 root root 68192 May  8 09:06 /snap/core26/current/bin/gnumkdir
lrwxrwxrwx 1 root root     8 Aug 26 11:28 /snap/core26/current/bin/mkdir -> gnumkdir

fnordahl avatar Sep 11 '25 07:09 fnordahl

PR in snapd: https://github.com/canonical/snapd/pull/15966

bboozzoo avatar Sep 12 '25 06:09 bboozzoo

https://github.com/canonical/snapd/pull/16068 was obsoleted by https://github.com/canonical/snapd/pull/16068 that is now merged so this issue is likely fixed.

simondeziel avatar Nov 19 '25 19:11 simondeziel