[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Zygmunt Krynicki]

This bug was fixed while snap-confine was a separate package. I'm
marking the snappy task as fix-released.

** Changed in: snappy
   Status: In Progress => Fix Released

** Project changed: snappy => snapd

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Nicholas Skaggs]

Yakkety still has 1.0.43.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Andreas Hasenack]

Nowadays xenial-updates has an ever higher version of snap-confine: 2.21

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Mathew Hodson]

** Changed in: snap-confine (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: snap-confine (Ubuntu Yakkety)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Andy Whitcroft]

Hello Tyler, or anyone else affected,

Accepted snap-confine into yakkety-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/snap-
confine/1.0.44-0ubuntu1~16.10 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: snap-confine (Ubuntu Yakkety)
   Status: New => Fix Committed

** Tags removed: verification-done

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Zygmunt Krynicki]

** Description changed:

+ [Impact]
+ 
+ TBD
+ 
+ [Test Case]
+ 
+ Look below for a test case.
+ 
+ [Regression Potential]
+ 
+ TBD
+ 
+ [Other Info]
+ 
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ https://wiki.ubuntu.com/SnapdUpdates
+ 
+ == # Pre-SRU bug description follows # ==
+ 
  The kernel (4.8.0-19.21), apparmor (2.10.95-4ubuntu5), and lxd
  (2.4-0ubuntu1) needed for running snaps inside of LXD containers (bug
  #1611078) have all landed in Yakkety. We should be able to install
  squashfuse and snapd 2.16+16.10 (from yakkety-proposed) and then run
  snaps inside of unprivileged LXD containers.
  
  I have verified that it works well for the root user inside of the
  container but there are some issues when a normal user attempts to run a
  snap command.
  
  # Create yakkety container named "yakkety"
  tyhicks@host:~$ lxc launch ubuntu-daily:devel yakkety
  Creating yakkety
  Starting yakkety
  
  # Enter the container, enable yakkety-proposed, update, install the 
dependencies
  tyhicks@host:~$ lxc exec yakkety bash
  root@yakkety:~# echo "deb http://archive.ubuntu.com/ubuntu/ \
  yakkety-proposed restricted main multiverse universe" > \
  /etc/apt/sources.list.d/proposed.list
  root@yakkety:~# echo -e "Package: *\nPin: release a=yakkety-proposed\n\
  Pin-Priority: 400" > /etc/apt/preferences.d/proposed-updates
  root@yakkety:~# apt-get update && apt-get dist-upgrade -y
  ...
  root@yakkety:~# apt-get install -y squashfuse snapd/yakkety-proposed
  ...
  
  # Rebooting the container should not be needed but is done for completeness
  root@yakkety:~# reboot
  tyhicks@host:~$ lxc exec yakkety bash
  
  # Install the hello-world snap
  root@yakkety:~# snap install hello-world
  hello-world (stable) 6.3 from 'canonical' installed
  
  # Snap commands work fine as root inside the container but not as a normal 
user
  root@yakkety:~# /snap/bin/hello-world.env
  SNAP_USER_COMMON=/root/snap/hello-world/common
  ...
  root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
  internal error, please report: running "hello-world.env" failed: open 
/snap/hello-world/27/meta/snap.yaml: permission denied
  
  # The normal user can't access /snap/hello-world/27 because of some oddness 
with the
  # dentry
  root@yakkety:~# ls -al /snap/hello-world
  total 8
  drwxr-xr-x 3 root root 4096 Oct  5 21:09 .
  drwxr-xr-x 5 root root 4096 Oct  5 21:09 ..
  drwxrwxr-x 4 root root0 Jul 11 21:20 27
  lrwxrwxrwx 1 root root2 Oct  5 21:09 current -> 27
  root@yakkety:~# su - ubuntu -c 'ls -al /snap/hello-world'
  ls: cannot access '/snap/hello-world/27': Permission denied
  total 8
  drwxr-xr-x 3 root root 4096 Oct  5 21:09 .
  drwxr-xr-x 5 root root 4096 Oct  5 21:09 ..
  d? ? ??   ?? 27
  lrwxrwxrwx 1 root root2 Oct  5 21:09 current -> 27

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Zygmunt Krynicki]

** Changed in: snap-confine
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Zygmunt Krynicki]

** Changed in: snap-confine
Milestone: None => 1.0.44

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Launchpad Bug Tracker]

This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1

---
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * Backport from 16.10 (LP: #1630040)

snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
LXD containers (LP: #1630789)

snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium

  * allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
symlink

snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium

  * add mmap to AppArmor policy for snap-confine for running snap-confine
under LXD on 4.8 kernels

snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium

  * New upstream release
  * Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)

snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium

  * add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
kernels older than 3.19 (LP: #1625565)

snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium

  * New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.41
  * Drop all patches (included upstream).
  * Add version to apparmor run-time dependency.

snap-confine (1.0.40-1) unstable; urgency=medium

  * New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.40
  * Drop apparmor profile from the debian/ directory and install it straight
from upstream package. This is now automatically consistent with package
configuration prefix.
  * Drop patch: prctl-compatibility.patch(applied upstream)
  * Add directory /var/lib/snapd/void to snap-confine
  * Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
fixes make check due to a mistake upstream.
  * Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)

snap-confine (1.0.39-1) unstable; urgency=medium

  * New upstream release.
  * Remove d/patches/01_lp1606277.patch, applied upstream.

snap-confine (1.0.38-3) unstable; urgency=medium

  * debian/patches/prctl-compatibility.patch: add shadow definitions for
compatibility with older kernel headers.
  * drop build-dependency on shellcheck, which is not used at build time
and doesn't exist in trusty.
  * make ubuntu-core-launcher "arch:any" to workaround an issue in
rm_conffile which does not deal with changing architectures
  * fix log-observer interface regression (LP: #1606277)

snap-confine (1.0.38-2) unstable; urgency=medium

  * Fix invocations of rm_conffile.
  * Update d/usr.lib.snapd.snap-confine to the latest upstream version to
ensure content-sharing fully works.

snap-confine (1.0.38-1) unstable; urgency=medium

  * New upstream release.

 -- Jamie Strandboge   Thu, 06 Oct 2016 14:51:26 +

** Changed in: snap-confine (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Leo Arias]

This can't really be tested yet for snap-confine in xenial proposed
because the required packages are not yet in xenial. I tried bringing
packages from yakkety and yakkety-proposed, but that didn't work, it was
just a long shot. It even seems there is still a PR in flight for snapd.

I checked the individual pull requests for snap-confine and they have
been thoroughly reviewed, and after an hour running different tests I
haven't found any regression. Because we have an emergency and need to
speed up the landing of snap-confine, I'm going to mark this as
verified. However once all the other pieces are in place in xenial, this
needs some exploratory for snaps inside lxc.

Thanks Andy.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Launchpad Bug Tracker]

This bug was fixed in the package snapd - 2.16+16.10ubuntu1

---
snapd (2.16+16.10ubuntu1) yakkety; urgency=medium

  * systemd/systemd.go, systemd/systemd_test.go: Correct the mount arguments
when mounting with squashfuse (LP: #1630789)

 -- Tyler Hicks   Thu, 06 Oct 2016 18:49:40 +

** Changed in: snapd (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

** Changed in: snapd (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

** Changed in: snapd (Ubuntu)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: snapd (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

Pull request for snapd: https://github.com/snapcore/snapd/pull/2112

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Launchpad Bug Tracker]

This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1

---
snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
LXD containers (LP: #1630789)

 -- Jamie Strandboge   Thu, 06 Oct 2016 12:29:59 +

** Changed in: snap-confine (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

** Changed in: snappy
   Status: Triaged => In Progress

** Changed in: snappy
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Andy Whitcroft]

Hello Tyler, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/snap-
confine/1.0.43-0ubuntu1~16.04.1 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: snap-confine (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Jamie Strandboge]

1.0.43-0ubuntu1 uploaded to yakkety.

** Changed in: snap-confine (Ubuntu)
   Status: In Progress => Fix Committed

** Also affects: snap-confine
   Importance: Undecided
   Status: New

** Changed in: snap-confine
   Importance: Undecided => High

** Changed in: snap-confine
   Status: New => Fix Committed

** Changed in: snap-confine
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Jamie Strandboge]

** Changed in: snap-confine (Ubuntu)
   Status: Triaged => In Progress

** Changed in: snap-confine (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

I made an unfortunate typo in the following sentence found in comment
#4:

This explains the AppArmor denial from comment #3 containing
"fsuid=296608 ouid=0". The setuid-container-root snap-confine task is
correctly running as fsuid 296608 (container_ns root) but the mountinfo
inode is correctly assigned uid 0 (init_ns root).

It should have read:

This explains the AppArmor denial from comment #3 containing
"fsuid=296608 ouid=0". The setuid-container-root snap-confine task is
correctly running as fsuid 296608 (container_ns root) but the mountinfo
inode is *incorrectly* assigned uid 0 (init_ns root).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1630789] Re: normal users can't run snaps inside of LXD containers

[Tyler Hicks]

Problem #3, the final problem, is due to a missing AppArmor rule needed
when the following PR was merged:

  https://github.com/snapcore/snap-confine/pull/145

After fixing the squashfuse mounts, as mentioned in comment #3, and
dropping the "owner" conditional, as mentioned in comment #4 (be sure to
reload the AppArmor profile after that), we see the following:

root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
cannot change apparmor hat of the support process for mount namespace capture. 
errmsg: Permission denied
support process for mount namespace capture exited abnormally

This AppArmor denial is logged:

[14428.623321] audit: type=1400 audit(1475715521.677:546):
apparmor="DENIED" operation="open" namespace="root//lxd-yakkety_" profile="/usr/lib/snapd/snap-confine"
name="/proc/977/attr/current" pid=908 comm="ubuntu-core-lau"
requested_mask="w" denied_mask="w" fsuid=296608 ouid=0

That PR resulted in the following call chain:

  main() -> sc_main() -> sc_create_or_join_ns_group() -> aa_change_hat()

aa_change_hat() must write to /proc/PID/attr/current but that PR didn't
add a rule to allow that file access.

Adding the '@{PROC}/[0-9]*/attr/current w,' rule and reloading the
profile allows us to run the hello-world.env snap command as a regular
user inside of an unprivileged user namespace:

root@yakkety:~# su - ubuntu -c '/snap/bin/hello-world.env'
XDG_SESSION_ID=c13

** Also affects: snapd (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: snap-confine (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: snap-confine (Ubuntu)
   Importance: Undecided => High

** Changed in: snapd (Ubuntu)
   Importance: Undecided => High

** Changed in: snap-confine (Ubuntu)
   Status: New => Triaged

** Changed in: snapd (Ubuntu)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1630789

Title:
  normal users can't run snaps inside of LXD containers

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1630789/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs