** Changed in: snap-confine (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1615113
Title:
snap-confine prevented from mounting base directory through the
"content" interface
Status in Snappy Launcher:
Fix Released
Status in snap-confine package in Ubuntu:
Fix Released
Status in snap-confine source package in Xenial:
Fix Released
Bug description:
[Impact]
The "content" interface refused to share the entire contents of one
snap with another snap.
This bug was caused by overzealous confinement of snap-confine itself
that required for the "source" of the sharing to be a sub-directory of
a snap. This restriction was lifted by editing the apparmor profile
for snap-confine.
For more information about the execution environment, please see this
article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-
tests/regression/lp-1615113/task.yaml
The test case is ran automatically for each pull request and for each final
release. It can be reproduced manually by executing the shell commands listed
in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply makes the
apparmor confinement of snap-confine slightly less restrictive.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu
16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu.
I am updating the template here to ensure that the process is fully
documented from 1.0.38 all the way up to the current upstream release
1.0.41.
* snap-confine is technically an integral part of snapd which has an
SRU exception and is allowed to introduce new features and take
advantage of accelerated procedure. For more information see
https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Using the new "content" interface, and following the integration tests
as an example, I have build two snaps in https://github.com/ubuntu
/snappy-playpen/tree/geany one under "geany" the other under "geany-
plugins" that work together to share the plugin code with the geany
app.
Both build, install, and connect just fine, but on trying to run
/snap/bin/geany it immediately fails with the following message:
cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with
options bind,ro. errmsg: Permission denied
Checking dmesg after this shows the following:
[335489.022097] audit: type=1400 audit(1471624994.323:302441):
apparmor="DENIED" operation="mount" info="failed srcname match"
error=-13 profile="/usr/lib/snapd/snap-confine"
name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau"
srcname="/snap/geany-plugins/x1/" flags="rw, bind"
I belive this is due to the fact that my geany-plugins slot is sharing
the root of it's content (/) instead of a file or folder by name. This
makes the mount source /snap/geany-plugins/x1/ which is too short to
match the apparmor allow line of /snap/*/*/**
To test this, I made the following change to
/etc/apparmor.d/usr.lib.snapd.snap-confine
120,121c120,121
< mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
< mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
---
> mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
> mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
This allowed the mount to happen and the application to run.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1615113/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
