** Description changed: + [Impact] + + The snapd interface "log-observe" is broken due to how we handle bind + mounts. + + This bug is fixed by adding /var/log to a list of directories that are + bind mounted and thus visible to snaps in their execution environment. + + For more information about the execution environment, please see this + article http://www.zygoon.pl/2016/08/snap-execution-environment.html + + [Test Case] + + The test case can be found here: + + https://github.com/snapcore/snap-confine/blob/master/spread- + tests/regression/lp-1606277/task.yaml + + The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually. + The commands there assume that snapd and snap-confine are installed. + No other additional setup is necessary. + + [Regression Potential] + + * Regression potential is minimal as the fix simply adds another + directory to a list of directories that needs to be bind mounted. + + * The fix was tested on Ubuntu via spread and on several other + distributions successfully. + + [Other Info] + + * This bug is a part of a major SRU that brings snap-confine in Ubuntu + 16.04 in line with the current upstream release 1.0.41. + + * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. + + * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. + + == # Pre-SRU bug description follows # == + The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug': $ sudo snap install snappy-debug $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe $ sudo /snap/bin/snappy-debug.security scanlog kernel.printk_ratelimit = 0 Traceback (most recent call last): File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module> sys.exit(main()) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main from_end=opt.only_new) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__ self.scan_log(log_file, snap_name, follow, from_end) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log log = open_file_read(log_file) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read orig = codecs.open(path, 'r', "UTF-8", errors="replace") File "/usr/lib/python3.5/codecs.py", line 895, in open file = builtins.open(filename, mode, buffering) FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog' This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing: $ hello-world.sh ... bash-4.3$ ls /var/log/ alternatives.log btmp dpkg.log fsck watchdog bootstrap.log dmesg faillog lastlog wtmp This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected. WORKAROUND for snappy-debug: launch outside of the launcher: $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog
** Description changed: [Impact] The snapd interface "log-observe" is broken due to how we handle bind mounts. This bug is fixed by adding /var/log to a list of directories that are bind mounted and thus visible to snaps in their execution environment. For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html [Test Case] The test case can be found here: https://github.com/snapcore/snap-confine/blob/master/spread- tests/regression/lp-1606277/task.yaml The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually. The commands there assume that snapd and snap-confine are installed. No other additional setup is necessary. [Regression Potential] - * Regression potential is minimal as the fix simply adds another + * Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted. * The fix was tested on Ubuntu via spread and on several other distributions successfully. [Other Info] * This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41. - * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41. - - * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. + * This bug was included in an earlier SRU and is now fixed in Ubuntu. I + am updating the template here to ensure that the process is fully + documented from 1.0.38 all the way up to the current upstream release + 1.0.41. + + * snap-confine is technically an integral part of snapd which has an SRU + exception and is allowed to introduce new features and take advantage of + accelerated procedure. For more information see + https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug': $ sudo snap install snappy-debug $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe $ sudo /snap/bin/snappy-debug.security scanlog kernel.printk_ratelimit = 0 Traceback (most recent call last): File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module> sys.exit(main()) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main from_end=opt.only_new) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__ self.scan_log(log_file, snap_name, follow, from_end) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log log = open_file_read(log_file) File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read orig = codecs.open(path, 'r', "UTF-8", errors="replace") File "/usr/lib/python3.5/codecs.py", line 895, in open file = builtins.open(filename, mode, buffering) FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog' This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing: $ hello-world.sh ... bash-4.3$ ls /var/log/ alternatives.log btmp dpkg.log fsck watchdog bootstrap.log dmesg faillog lastlog wtmp This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected. WORKAROUND for snappy-debug: launch outside of the launcher: $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1606277 Title: log-observe interface is broken in latest snap-confine To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
