** Description changed:

+ [Impact]
+ 
+ The "content" interface refused to share the entire contents of one snap
+ with another snap.
+ 
+ This bug was caused by overzealous confinement of snap-confine itself
+ that required for the "source" of the sharing to be a sub-directory of a
+ snap. This restriction was lifted by editing the apparmor profile for
+ snap-confine.
+ 
+ For more information about the execution environment, please see this
+ article http://www.zygoon.pl/2016/08/snap-execution-environment.html
+ 
+ [Test Case]
+ 
+ The test case can be found here:
+ 
+ https://github.com/snapcore/snap-confine/blob/master/spread-
+ tests/regression/lp-1615113/task.yaml
+ 
+ The test case is ran automatically for each pull request and for each final 
release. It can be reproduced manually by executing the shell commands listed 
in the prepare/execute/restore phases manually.
+ The commands there assume that snapd and snap-confine are installed.
+ No other additional setup is necessary.
+ 
+ [Regression Potential]
+ 
+  * Regression potential is minimal as the fix simply makes the apparmor
+ confinement of snap-confine slightly less restrictive.
+ 
+ [Other Info]
+ 
+ * This bug is a part of a major SRU that brings snap-confine in Ubuntu
+ 16.04 in line with the current upstream release 1.0.41.
+ 
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I
+ am updating the template here to ensure that the process is fully
+ documented from 1.0.38 all the way up to the current upstream release
+ 1.0.41.
+ 
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ https://wiki.ubuntu.com/SnapdUpdates
+ 
+ == # Pre-SRU bug description follows # ==
+ 
  Using the new "content" interface, and following the integration tests
  as an example, I have build two snaps in https://github.com/ubuntu
  /snappy-playpen/tree/geany one under "geany" the other under "geany-
  plugins" that work together to share the plugin code with the geany app.
  
  Both build, install, and connect just fine, but on trying to run
  /snap/bin/geany it immediately fails with the following message:
  
  cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with
  options bind,ro. errmsg: Permission denied
  
  Checking dmesg after this shows the following:
  
  [335489.022097] audit: type=1400 audit(1471624994.323:302441):
  apparmor="DENIED" operation="mount" info="failed srcname match"
  error=-13 profile="/usr/lib/snapd/snap-confine"
  name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau"
  srcname="/snap/geany-plugins/x1/" flags="rw, bind"
  
  I belive this is due to the fact that my geany-plugins slot is sharing
  the root of it's content (/) instead of a file or folder by name. This
  makes the mount source /snap/geany-plugins/x1/ which is too short to
  match the apparmor allow line of /snap/*/*/**
  
  To test this, I made the following change to 
/etc/apparmor.d/usr.lib.snapd.snap-confine
  120,121c120,121
  <     mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
  <     mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
  ---
  >     mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
  >     mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
  
  This allowed the mount to happen and the application to run.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1615113

Title:
  snap-confine prevented from mounting base directory through the
  "content" interface

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1615113/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to