** Description changed:

+ [Impact]
+ 
+ The snapd interface "log-observe" is broken due to how we handle bind
+ mounts.
+ 
+ This bug is fixed by adding /var/log to a list of directories that are
+ bind mounted and thus visible to snaps in their execution environment.
+ 
+ For more information about the execution environment, please see this
+ article http://www.zygoon.pl/2016/08/snap-execution-environment.html
+ 
+ [Test Case]
+ 
+ The test case can be found here:
+ 
+ https://github.com/snapcore/snap-confine/blob/master/spread-
+ tests/regression/lp-1606277/task.yaml
+ 
+ The test case is ran automatically for each pull request and for each final 
release. It can be reproduced manually by executing the shell commands listed 
in the prepare/execute/restore phases manually.
+ The commands there assume that snapd and snap-confine are installed.
+ No other additional setup is necessary.
+ 
+ [Regression Potential]
+ 
+  * Regression potential is minimal as the fix simply adds another
+ directory to a list of directories that needs to be bind mounted.
+ 
+ * The fix was tested on Ubuntu via spread and on several other
+ distributions successfully.
+ 
+ [Other Info]
+ 
+ * This bug is a part of a major SRU that brings snap-confine in Ubuntu
+ 16.04 in line with the current upstream release 1.0.41.
+ 
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am 
updating the template here to ensure that the process is fully documented from 
1.0.38 all the way up to the current upstream release 1.0.41.
+  
+ * snap-confine is technically an integral part of snapd which has an SRU 
exception and is allowed to introduce new features and take advantage of 
accelerated procedure.
+ 
+ == # Pre-SRU bug description follows # ==
+ 
  The log-observe interface is broken due to how we handle bind mounts
  now. This can be seen with 'snappy-debug':
  
  $ sudo snap install snappy-debug
  $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
  $ sudo /snap/bin/snappy-debug.security scanlog
  kernel.printk_ratelimit = 0
  Traceback (most recent call last):
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in 
<module>
      sys.exit(main())
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
      from_end=opt.only_new)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in 
__init__
      self.scan_log(log_file, snap_name, follow, from_end)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in 
scan_log
      log = open_file_read(log_file)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in 
open_file_read
      orig = codecs.open(path, 'r', "UTF-8", errors="replace")
    File "/usr/lib/python3.5/codecs.py", line 895, in open
      file = builtins.open(filename, mode, buffering)
  FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
  
  This is because /var/log/syslog is not available at runtime due to the bind 
mounts. This can be shown by installing hello-world, adjusting 
/var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be 
able to read any directory), reloading the profile, then doing:
  $ hello-world.sh
  ...
  bash-4.3$ ls /var/log/
  alternatives.log  btmp         dpkg.log  fsck     watchdog
  bootstrap.log   dmesg  faillog   lastlog  wtmp
  
  This may also be a problem with other interfaces, I haven't checked
  extensively, though it seems that /var/lib/extrausers (from the
  nameservice abstraction) won't work right, and (at least) ppp
  (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
  affected.
  
  WORKAROUND for snappy-debug: launch outside of the launcher:
  $ sudo SNAP=/snap/snappy-debug/current 
PATH=$PATH:/snap/snappy-debug/current/bin 
/snap/snappy-debug/current/bin/snappy-security scanlog

** Description changed:

  [Impact]
  
  The snapd interface "log-observe" is broken due to how we handle bind
  mounts.
  
  This bug is fixed by adding /var/log to a list of directories that are
  bind mounted and thus visible to snaps in their execution environment.
  
  For more information about the execution environment, please see this
  article http://www.zygoon.pl/2016/08/snap-execution-environment.html
  
  [Test Case]
  
  The test case can be found here:
  
  https://github.com/snapcore/snap-confine/blob/master/spread-
  tests/regression/lp-1606277/task.yaml
  
  The test case is ran automatically for each pull request and for each final 
release. It can be reproduced manually by executing the shell commands listed 
in the prepare/execute/restore phases manually.
  The commands there assume that snapd and snap-confine are installed.
  No other additional setup is necessary.
  
  [Regression Potential]
  
-  * Regression potential is minimal as the fix simply adds another
+  * Regression potential is minimal as the fix simply adds another
  directory to a list of directories that needs to be bind mounted.
  
  * The fix was tested on Ubuntu via spread and on several other
  distributions successfully.
  
  [Other Info]
  
  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.
  
- * This bug was included in an earlier SRU and is now fixed in Ubuntu. I am 
updating the template here to ensure that the process is fully documented from 
1.0.38 all the way up to the current upstream release 1.0.41.
-  
- * snap-confine is technically an integral part of snapd which has an SRU 
exception and is allowed to introduce new features and take advantage of 
accelerated procedure.
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I
+ am updating the template here to ensure that the process is fully
+ documented from 1.0.38 all the way up to the current upstream release
+ 1.0.41.
+ 
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ https://wiki.ubuntu.com/SnapdUpdates
  
  == # Pre-SRU bug description follows # ==
  
  The log-observe interface is broken due to how we handle bind mounts
  now. This can be seen with 'snappy-debug':
  
  $ sudo snap install snappy-debug
  $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
  $ sudo /snap/bin/snappy-debug.security scanlog
  kernel.printk_ratelimit = 0
  Traceback (most recent call last):
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in 
<module>
      sys.exit(main())
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
      from_end=opt.only_new)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in 
__init__
      self.scan_log(log_file, snap_name, follow, from_end)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in 
scan_log
      log = open_file_read(log_file)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in 
open_file_read
      orig = codecs.open(path, 'r', "UTF-8", errors="replace")
    File "/usr/lib/python3.5/codecs.py", line 895, in open
      file = builtins.open(filename, mode, buffering)
  FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
  
  This is because /var/log/syslog is not available at runtime due to the bind 
mounts. This can be shown by installing hello-world, adjusting 
/var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be 
able to read any directory), reloading the profile, then doing:
  $ hello-world.sh
  ...
  bash-4.3$ ls /var/log/
  alternatives.log  btmp         dpkg.log  fsck     watchdog
  bootstrap.log   dmesg  faillog   lastlog  wtmp
  
  This may also be a problem with other interfaces, I haven't checked
  extensively, though it seems that /var/lib/extrausers (from the
  nameservice abstraction) won't work right, and (at least) ppp
  (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
  affected.
  
  WORKAROUND for snappy-debug: launch outside of the launcher:
  $ sudo SNAP=/snap/snappy-debug/current 
PATH=$PATH:/snap/snappy-debug/current/bin 
/snap/snappy-debug/current/bin/snappy-security scanlog

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1606277

Title:
  log-observe interface is broken in latest snap-confine

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to