** No longer affects: ubuntu-core-launcher (Ubuntu)
** No longer affects: ubuntu-snappy (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
Apparmor denial for access to
root@localhost:/home/ubuntu# hello-world.sh
Launching a shell inside the default app confinement. Navigate to your
app-specific directories with:
This works now in snappy 16:
bash-4.3# cd $SNAP_USER_DATA
bash-4.3# pwd
/root/snap/hello-world/25
bash-4.3# touch lala
bash-4.3# ls
lala
** Changed
** Changed in: snappy
Status: In Progress => Confirmed
** Changed in: snappy
Assignee: Kyle Fazzari (kyrofa) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
Bugfix here: https://github.com/ubuntu-core/snappy/pull/264
** Changed in: snappy
Status: Triaged => In Progress
** Changed in: snappy
Assignee: (unassigned) => Kyle Fazzari (kyrofa)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
Any update here?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
Apparmor denial for access to SNAP_APP_USER_DATA_PATH as root
To manage notifications about this bug go to:
This bug was fixed in the package ubuntu-core-security - 16.04.7
---
ubuntu-core-security (16.04.7) xenial; urgency=medium
* ubuntu/default: allow owner match on @{HOME} instead of @{HOMEDIRS}/*/
to allow root access to SNAP_APP_USER_DATA_PATH when it is set to
ubuntu-core-security 16.04.7 has the apparmor change for /root/apps and
is in xenial-proposed.
** Changed in: ubuntu-core-security (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Marking the ubuntu-core-launcher task as invalid since it doesn't
require any changes with proposal #1.
** Changed in: ubuntu-core-launcher (Ubuntu)
Status: New => Invalid
** Also affects: ubuntu-snappy (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ubuntu-snappy
Adding ubuntu-snappy task since it needs to be modified for proposal #1.
Triaging to the level of the Snappy project task.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
Apparmor
I think the least surprising thing to do would be to use
/root/apps// for SNAP_APP_USER_DATA_PATH when running an
app with sudo.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
This came up in the context of another conversation, but then we
discussed it. The security team reexamined the current behavior and
don't like that SNAP_APP_USER_DATA_PATH is being set to the real uid
when the effective uid is root. Apart from the usability concern
expressed in this bug, from a
There seems to be two related but independent problems here.
The first one is the original problem reported in the description above:
the snap user directory is inaccessible to the snap itself. This should
indeed be fixed, and there's apparently no reason for us to move this
data out of $HOME
Thanks Gustavo. We discussed this a little bit more on irc and agree
that proposal #1 is the way to go for now. If we need to refine that in
the future we can.
** Changed in: ubuntu-core-security (Ubuntu)
Status: Incomplete => Triaged
** Changed in: ubuntu-core-security (Ubuntu)
This bug affects usability. If you install a snap and run one of its
binaries with 'sudo foo.bar' then /home/ubuntu/apps gets created as root
and subsequent commands run as non-root will fail to create their user
data directories. I like ted's reasoning but ultimately I don't think we
shouldn't
Actually, the bug description shows that lxd *did* get a directory under
/root, but latest stable does not do that.
$ sudo rm -rf /home/ubuntu/apps
$ sudo hello-world.env
$ sudo ls -ld /home/ubuntu/apps
drwxr-xr-x 3 root root 4096 Oct 1 08:18 /home/ubuntu/apps
So something may have changed with
** Changed in: snappy
Status: New = Triaged
** Changed in: snappy
Importance: Undecided = Critical
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1466234
Title:
Apparmor denial for access
This is an easy fix policy-wise. Ie, change all occurrences of
'@{HOMEDIRS}/*/' to '@{HOME}/' in the policy. However, we actively
decided that '/root' would not be included in the default policy, and
I'd like to understand why. Is this for the FHS? How does this affect
rollbacks? Is /root handled
It kinda seems to me like SNAP_APP_USER_DATA_PATH shouldn't be set for
things running as root. It seems that any service should be using
SNAP_APP_DATA_PATH. Is there a specific reason to try to write into a
user's directory instead of the per-service writable directory?
--
You received this bug
18 matches
Mail list logo
