Per agreement with jdstrand it is sufficient to verify that the new policy is a superset (that is, it allows to do more, not less) of the old policy. This prevents the possibility of regressions. Given that the original bug was reported on a non-common hardware/kernel combination this serves as a sufficient SRU verification.
As a part of the verification the apparmro profile from /etc/apparmor.d/usr.lib.snapd.snap-confine was copied before and after the proposed upgrade. The package upgraded successfully so the new profile was also successfully compiled and loaded into the kernel. Both profiles were compared and the new rule, containing the extra trailing slash, was present in the diff. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: Fix Released Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. ===================================== ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: ===================================== [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: ===================================== ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c--------- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
