[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Launchpad Bug Tracker]

This bug was fixed in the package snap-confine -
1.0.38-0ubuntu0.16.04.10

---
snap-confine (1.0.38-0ubuntu0.16.04.10) xenial; urgency=medium

  * debian/usr.lib.snapd.snap-confine:
- synchronize apparmor profile with upstream 1.0.40 release.
(LP: #1597842, LP: #1615113, LP: #1584456)

snap-confine (1.0.38-0ubuntu0.16.04.9) xenial; urgency=medium

  * debian/patches/04_not_die_unknown_locations.patch:
- move to /var/lib/snapd/void (with mode 0) if the current
  location cannot be preserved (LP: #1612684)

 -- Zygmunt Krynicki   Wed, 24 Aug 2016
20:31:12 +0200

** Changed in: snap-confine (Ubuntu Xenial)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy kernels.

  * The fix was tested on Ubuntu via spread.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Zygmunt Krynicki]

Per agreement with jdstrand it is sufficient to verify that the new
policy is a superset (that is, it allows to do more, not less) of the
old policy. This prevents the possibility of regressions. Given that the
original bug was reported on a non-common hardware/kernel combination
this serves as a sufficient SRU verification.

As a part of the verification the apparmro profile from
/etc/apparmor.d/usr.lib.snapd.snap-confine was copied before and after
the proposed upgrade. The package upgraded successfully so the new
profile was also successfully compiled and loaded into the kernel. Both
profiles were compared and the new rule, containing the extra trailing
slash, was present in the diff.


** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy kernels.

  * The fix was tested on Ubuntu via spread.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Zygmunt Krynicki]

Yann could you please verify that this bug is fixed by the package in
xenial-proposed?

You can find more information about the process at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  In Progress

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy kernels.

  * The fix was tested on Ubuntu via spread.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Michael Hudson-Doyle]

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: snap-confine (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** No longer affects: linux (Ubuntu Xenial)

** Changed in: snap-confine (Ubuntu Xenial)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  In Progress

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy kernels.

  * The fix was tested on Ubuntu via spread.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Michael Hudson-Doyle]

** Also affects: snap-confine (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: snap-confine (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed
Status in snap-confine package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy kernels.

  * The fix was tested on Ubuntu via spread.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Zygmunt Krynicki]

** Description changed:

+ [Impact]
  
- - Finding issues running snaps (hello-world). 
+ snap-confine would refuse to work on an older kernel running on an
+ Nvidia Tegra X1 board. This was traced to a bug in older version of
+ apparmor there that required directory-like syntax for /dev/pts/ptmx
+ (with a trailing slash).
+ 
+ This bug is fixed by adding an apparmor rule, identical to the normal
+ rule, with an extra slash. Older kernels will use the new rule while
+ current kernels will just ignore it.
+ 
+ [Test Case]
+ 
+ On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
+ longer fail to start. On Ubuntu Xenial (all architectures) there should
+ be no perceived change.
+ 
+ Snap-confine is carefully tested with a battery of spread tests that can
+ be found here: https://github.com/snapcore/snap-confine/blob/master
+ /spread-tests/
+ 
+ The test cases are ran automatically for each pull request and for each
+ final release.
+ 
+ All those tests were executed successfully for this release. As a simple
+ test case consider running any snap (any at all, including hello-world).
+ 
+ [Regression Potential]
+ 
+  * Regression potential is minimal as the fix simply adds another
+ apparmor rule that grants additional permissions that are only picked up
+ by old buggy kernels.
+ 
+ * The fix was tested on Ubuntu via spread.
+ 
+ [Other Info]
+ 
+ * This bug is a part of a major SRU that brings snap-confine in Ubuntu
+ 16.04 in line with the current upstream release 1.0.41.
+ 
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I
+ am updating the template here to ensure that the process is fully
+ documented from 1.0.38 all the way up to the current upstream release
+ 1.0.41.
+ 
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ https://wiki.ubuntu.com/SnapdUpdates
+ 
+ == # Pre-SRU bug description follows # ==
+ 
+ - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.
  
  =
  
  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  
  dmesg shows:
  =
  
  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  
  This is with the "hello-world" snap installed with "snap install"
  
  Output of an ls over the device file:
  =
  
  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx
  
  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  [Impact]

  snap-confine would refuse to work on an older kernel running on an
  Nvidia Tegra X1 board. This was traced to a bug in older version of
  apparmor there that required directory-like syntax for /dev/pts/ptmx
  (with a trailing slash).

  This bug is fixed by adding an apparmor rule, identical to the normal
  rule, with an extra slash. Older kernels will use the new rule while
  current kernels will just ignore it.

  [Test Case]

  On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
  longer fail to start. On Ubuntu Xenial (all architectures) there
  should be no perceived change.

  Snap-confine is carefully tested with a battery of spread tests that
  can be found here: https://github.com/snapcore/snap-
  confine/blob/master/spread-tests/

  The test cases are ran automatically for each pull request and for
  each final release.

  All those tests were executed successfully for this release. As a
  simple test case consider running any snap (any at all, including
  hello-world).

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  apparmor rule that grants additional permissions that are only picked
  up by old buggy 

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Martin Pitt]

Hello Pedro, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/snap-
confine/1.0.38-0ubuntu0.16.04.10 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Zygmunt Krynicki]

** Changed in: snap-confine
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Released
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Yann Sionneau]

Thanks!

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Committed
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Zygmunt Krynicki]

** Changed in: snap-confine
Milestone: None => 1.0.40

** Changed in: snap-confine
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  Fix Committed
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Jamie Strandboge]

https://github.com/snapcore/snap-confine/pull/101

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  In Progress
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1584456] Re: apparmor denial using ptmx char device

[Jamie Strandboge]

Tyler and I discussed this and feel that since this bug is understood
and fixed in newer kernels that adding a workaround rule to the policy
is fine at this point.

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

** Project changed: snappy => snap-confine

** Changed in: linux (Ubuntu)
   Status: New => Confirmed

** Changed in: linux (Ubuntu)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: snap-confine
   Status: Confirmed => In Progress

** Changed in: snap-confine
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

Status in Snappy Launcher:
  In Progress
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  
  - Finding issues running snaps (hello-world). 
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.

  =

  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied

  dmesg shows:
  =

  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"

  This is with the "hello-world" snap installed with "snap install"

  Output of an ls over the device file:
  =

  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx

  /dev/pts:
  total 0
  c- 1 root root 5, 2 Jan  1  1970 ptmx

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp