Topic: Upgrade from PPA to snap (Read 283 times)

AppArmor provides /etc/apparmor.d/local/ for rules to add to the main ones.  (Although this can't be used to override an explicit deny like tcpdump's ban on using files in $HOME/bin.)  We just need to add a rule for the *.gz, and while we're there, why not the *.bz2 version as well?
The trailing comma does not seem to be an issue for me.  Note also that we don't need to specify the binary and braces, since the #include line in the system profile is already inside the braces.

Ubuntu ships some files in the local directory already; we should be able to run and add the lines above to the existing file.  Once the file is ready, we need to reload that profile to the kernel.  Note that we use the system profile here, not the one we just edited:
.


locate your core in usr/src/

use sudo commands and should be fine

Serj, I have the same problem with bitcoin-core polluting /var/log/syslog with AppArmor messages (see below). Have you learned what modifications are required to the AppArmor configuration to give bitcoin-core access to these various /proc resources? Thanks!

----------
...
Feb 28 16:43:24 elijah kernel: [ 2591.097883] audit: type=1400 audit(1614555804.182:333): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/schedstat" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:43:24 elijah kernel: [ 2591.097886] audit: type=1400 audit(1614555804.182:334): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/zoneinfo" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:43:24 elijah kernel: [ 2591.097993] audit: type=1400 audit(1614555804.182:335): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/softirqs" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:43:24 elijah kernel: [ 2591.098084] audit: type=1400 audit(1614555804.182:336): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/3248/schedstat" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Feb 28 16:44:24 elijah kernel: [ 2651.108811] audit: type=1400 audit(1614555864.194:337): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/diskstats" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:44:24 elijah kernel: [ 2651.108819] audit: type=1400 audit(1614555864.194:338): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/vmstat" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:44:24 elijah kernel: [ 2651.108824] audit: type=1400 audit(1614555864.194:339): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/schedstat" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:44:24 elijah kernel: [ 2651.108829] audit: type=1400 audit(1614555864.194:340): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/zoneinfo" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:44:24 elijah kernel: [ 2651.108939] audit: type=1400 audit(1614555864.194:341): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/softirqs" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Feb 28 16:44:24 elijah kernel: [ 2651.109075] audit: type=1400 audit(1614555864.194:342): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/proc/3248/schedstat" pid=3248 comm="b-scheduler" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
...
----------

Why is bitcoin-qt performing a mknod? And why doesn't "mknod" appear in the sources for bitcoin-qt or its packaging?

It seems like the apparmor profile has to be adjusted.
You need to allow access to the following in your apparmor profile:

operation="open" => read permission
operation="mknod" => write permission


Can you confirm the profile does indeed cover the necessary permissions and paths ?

I've been looking at this. At first I thought, OK, let's just add the non-standard path to the apparmor file (which by the way is /var/lib/snapd/apparmor/profiles/snap.bitcoin-core.qt)...

But what's curious here is that the operation being denied isn't reading or writing those files. It's "mknod" - creating a device file.

That's super strange. What's bitcoin-qt doing that for?

Then I went looking for where in the source code a mknod is being performed. Only "mknod" does not occur anywhere in the bitcoin sources. Or in the bitcoin-core-snap packaging.

Fine, perhaps there's a legit reason for this, and perhaps bitcoin-qt is calling something that calls mknod... but why?? Why create a device file? That's odd behavior for a program that doesn't deal with hardware devices.

I can hardly find any hits on google on anyone even looking at the snap at all, let alone thinking about this issue. There was this: https://twitter.com/rusty_twit/status/1201368196608999424 - made me chuckle, but no solution of course.

Does anyone have any ideas?

Yea... The permissions are fine... It's apparmor denying bitcoin permission

im never using apparmor, and i can't identify your problem but i want to ask about this


do you have change the permmission? maybe like chmod or something else?
and you are use "Ubuntu 19.10" , i can;t says this release is stable, better you downgrade to 18.04 or 16.04

No response after 5 days? It looks like I'm asking this in the wrong place.

Where would you guys suggest I can find some technical people to get some advice about this?

So, I noticed the PPA is no longer being updated.

I uninstalled the PPA and installed the snap.

apparmor seems to be killing me...
 
apparmor="DENIED" operation="mknod" profile="snap.bitcoin-core.qt" name="/home/serj/Bitcoin/7ffb-ef67-01f7-0640" pid=22511 comm="bitcoin-qt" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

What is more; I do not see an apparmor profile called snap.bitcoin-core.qt anywhere.

Thoughts?

More info below:


serj@serj-ubuntu:~$ uname -a
Linux serj-ubuntu 5.3.0-24-generic #26-Ubuntu SMP Thu Nov 14 01:33:18 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

serj@serj-ubuntu:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=19.10
DISTRIB_CODENAME=eoan
DISTRIB_DESCRIPTION="Ubuntu 19.10"

serj@serj-ubuntu:~$ snap info bitcoin-core
name:      bitcoin-core
summary:   peer-to-peer network based digital currency
publisher: Bitcoin Core
contact:   https://github.com/bitcoin-core/packaging/issues/new?title=snap:
license:   unset
description: |
  Bitcoin is a free open source peer-to-peer electronic cash system that
  is completely decentralized, without the need for a central server or
  trusted parties.  Users hold the crypto keys to their own money and
  transact directly with each other, with the help of a P2P network to
  check for double-spending.
commands:
  - bitcoin-core.cli
  - bitcoin-core.daemon
  - bitcoin-core.qt
snap-id:      lGr3hNoqLtHTp2yV1BgnqyElQtLUDPeA
tracking:     stable
refresh-date: today at 09:58 NZDT
channels:
  stable:         0.19.0.1 2019-11-24 (54) 106MB -
  candidate:      ↑                             
  beta:           ↑                             
  edge:           0.19.0.1 2019-11-24 (54) 106MB -
  0.19/stable:    0.19.0.1 2019-11-25 (60) 106MB -
  0.19/candidate: ↑                             
  0.19/beta:      ↑                             
  0.19/edge:      0.19.0.1 2019-11-25 (60) 106MB -
  0.18/stable:    0.18.1   2019-08-09 (50) 107MB -
  0.18/candidate: ↑                             
  0.18/beta:      ↑                             
  0.18/edge:      0.18.1   2019-08-09 (50) 107MB -
  0.17/stable:    0.17.1   2019-08-08 (42) 106MB -
  0.17/candidate: ↑                             
  0.17/beta:      ↑                             
  0.17/edge:      0.17.1   2019-08-08 (42) 106MB -
installed:        0.19.0.1            (54) 106MB -

serj@serj-ubuntu:~$ bitcoin-core.qt
Error: Cannot write to data directory '/home/serj/Bitcoin'; check permissions.

serj@serj-ubuntu:~$ tail /var/log/kern.log
Jan  9 14:42:11 serj-ubuntu kernel: [313980.271639] audit: type=1400 audit(1578534131.921:160): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/home/serj/Documents/" pid=22585 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  9 14:42:12 serj-ubuntu kernel: [313981.273808] audit: type=1400 audit(1578534132.921:161): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/home/serj/Bitcoin/bitcoin.conf" pid=22511 comm="bitcoin-qt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  9 14:42:13 serj-ubuntu kernel: [313981.386697] audit: type=1400 audit(1578534133.037:162): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/home/serj/.local/share/font-manager/Library/" pid=22511 comm="bitcoin-qt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  9 14:42:13 serj-ubuntu kernel: [313981.387010] audit: type=1400 audit(1578534133.037:163): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/home/serj/.local/share/font-manager/Library/" pid=22511 comm="bitcoin-qt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  9 14:42:13 serj-ubuntu kernel: [313981.387019] audit: type=1400 audit(1578534133.037:164): apparmor="DENIED" operation="open" profile="snap.bitcoin-core.qt" name="/home/serj/.local/share/font-manager/Library/" pid=22511 comm="bitcoin-qt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan  9 14:42:14 serj-ubuntu kernel: [313982.421506] audit: type=1400 audit(1578534134.069:165): apparmor="DENIED" operation="mknod" profile="snap.bitcoin-core.qt" name="/home/serj/Bitcoin/7ffb-ef67-01f7-0640" pid=22511 comm="bitcoin-qt" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000