[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
This bug was fixed in the package snap-confine - 1.0.38-0ubuntu0.16.04.10 --- snap-confine (1.0.38-0ubuntu0.16.04.10) xenial; urgency=medium * debian/usr.lib.snapd.snap-confine: - synchronize apparmor profile with upstream 1.0.40 release. (LP: #1597842, LP: #1615113, LP: #1584456) snap-confine (1.0.38-0ubuntu0.16.04.9) xenial; urgency=medium * debian/patches/04_not_die_unknown_locations.patch: - move to /var/lib/snapd/void (with mode 0) if the current location cannot be preserved (LP: #1612684) -- Zygmunt KrynickiWed, 24 Aug 2016 20:31:12 +0200 ** Changed in: snap-confine (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: Fix Released Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
Per agreement with jdstrand it is sufficient to verify that the new policy is a superset (that is, it allows to do more, not less) of the old policy. This prevents the possibility of regressions. Given that the original bug was reported on a non-common hardware/kernel combination this serves as a sufficient SRU verification. As a part of the verification the apparmro profile from /etc/apparmor.d/usr.lib.snapd.snap-confine was copied before and after the proposed upgrade. The package upgraded successfully so the new profile was also successfully compiled and loaded into the kernel. Both profiles were compared and the new rule, containing the extra trailing slash, was present in the diff. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: Fix Released Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
Yann could you please verify that this bug is fixed by the package in xenial-proposed? You can find more information about the process at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: In Progress Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: snap-confine (Ubuntu Xenial) Importance: Undecided Status: New ** No longer affects: linux (Ubuntu Xenial) ** Changed in: snap-confine (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Status in snap-confine source package in Xenial: In Progress Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
** Also affects: snap-confine (Ubuntu) Importance: Undecided Status: New ** Changed in: snap-confine (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Status in snap-confine package in Ubuntu: Fix Released Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels. * The fix was tested on Ubuntu via spread. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
** Description changed: + [Impact] - - Finding issues running snaps (hello-world). + snap-confine would refuse to work on an older kernel running on an + Nvidia Tegra X1 board. This was traced to a bug in older version of + apparmor there that required directory-like syntax for /dev/pts/ptmx + (with a trailing slash). + + This bug is fixed by adding an apparmor rule, identical to the normal + rule, with an extra slash. Older kernels will use the new rule while + current kernels will just ignore it. + + [Test Case] + + On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no + longer fail to start. On Ubuntu Xenial (all architectures) there should + be no perceived change. + + Snap-confine is carefully tested with a battery of spread tests that can + be found here: https://github.com/snapcore/snap-confine/blob/master + /spread-tests/ + + The test cases are ran automatically for each pull request and for each + final release. + + All those tests were executed successfully for this release. As a simple + test case consider running any snap (any at all, including hello-world). + + [Regression Potential] + + * Regression potential is minimal as the fix simply adds another + apparmor rule that grants additional permissions that are only picked up + by old buggy kernels. + + * The fix was tested on Ubuntu via spread. + + [Other Info] + + * This bug is a part of a major SRU that brings snap-confine in Ubuntu + 16.04 in line with the current upstream release 1.0.41. + + * This bug was included in an earlier SRU and is now fixed in Ubuntu. I + am updating the template here to ensure that the process is fully + documented from 1.0.38 all the way up to the current upstream release + 1.0.41. + + * snap-confine is technically an integral part of snapd which has an SRU + exception and is allowed to introduce new features and take advantage of + accelerated procedure. For more information see + https://wiki.ubuntu.com/SnapdUpdates + + == # Pre-SRU bug description follows # == + + - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Bug description: [Impact] snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash). This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it. [Test Case] On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change. Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap- confine/blob/master/spread-tests/ The test cases are ran automatically for each pull request and for each final release. All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world). [Regression Potential] * Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
Hello Pedro, or anyone else affected, Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap- confine/1.0.38-0ubuntu0.16.04.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags added: verification-needed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
** Changed in: snap-confine Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Released Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
Thanks! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Committed Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
** Changed in: snap-confine Milestone: None => 1.0.40 ** Changed in: snap-confine Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: Fix Committed Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
https://github.com/snapcore/snap-confine/pull/101 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: In Progress Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device
Tyler and I discussed this and feel that since this bug is understood and fixed in newer kernels that adding a workaround rule to the policy is fine at this point. ** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Project changed: snappy => snap-confine ** Changed in: linux (Ubuntu) Status: New => Confirmed ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: snap-confine Status: Confirmed => In Progress ** Changed in: snap-confine Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device Status in Snappy Launcher: In Progress Status in linux package in Ubuntu: Confirmed Bug description: - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. = ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: = [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: = ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c- 1 root root 5, 2 Jan 1 1970 ptmx To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp