** Description changed:
+ The "content" interface refused to share the entire contents of one snap
+ with another snap.
+ This bug was caused by overzealous confinement of snap-confine itself
+ that required for the "source" of the sharing to be a sub-directory of a
+ snap. This restriction was lifted by editing the apparmor profile for
+ For more information about the execution environment, please see this
+ article http://www.zygoon.pl/2016/08/snap-execution-environment.html
+ [Test Case]
+ The test case can be found here:
+ The test case is ran automatically for each pull request and for each final
release. It can be reproduced manually by executing the shell commands listed
in the prepare/execute/restore phases manually.
+ The commands there assume that snapd and snap-confine are installed.
+ No other additional setup is necessary.
+ [Regression Potential]
+ * Regression potential is minimal as the fix simply makes the apparmor
+ confinement of snap-confine slightly less restrictive.
+ [Other Info]
+ * This bug is a part of a major SRU that brings snap-confine in Ubuntu
+ 16.04 in line with the current upstream release 1.0.41.
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I
+ am updating the template here to ensure that the process is fully
+ documented from 1.0.38 all the way up to the current upstream release
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ == # Pre-SRU bug description follows # ==
Using the new "content" interface, and following the integration tests
as an example, I have build two snaps in https://github.com/ubuntu
/snappy-playpen/tree/geany one under "geany" the other under "geany-
plugins" that work together to share the plugin code with the geany app.
Both build, install, and connect just fine, but on trying to run
/snap/bin/geany it immediately fails with the following message:
cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with
options bind,ro. errmsg: Permission denied
Checking dmesg after this shows the following:
[335489.022097] audit: type=1400 audit(1471624994.323:302441):
apparmor="DENIED" operation="mount" info="failed srcname match"
name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau"
srcname="/snap/geany-plugins/x1/" flags="rw, bind"
I belive this is due to the fact that my geany-plugins slot is sharing
the root of it's content (/) instead of a file or folder by name. This
makes the mount source /snap/geany-plugins/x1/ which is too short to
match the apparmor allow line of /snap/*/*/**
To test this, I made the following change to
< mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
< mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
> mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
> mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
This allowed the mount to happen and the application to run.
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
snap-confine prevented from mounting base directory through the
To manage notifications about this bug go to:
ubuntu-bugs mailing list