** Description changed: + [Impact] - - Finding issues running snaps (hello-world). + snap-confine would refuse to work on an older kernel running on an + Nvidia Tegra X1 board. This was traced to a bug in older version of + apparmor there that required directory-like syntax for /dev/pts/ptmx + (with a trailing slash). + + This bug is fixed by adding an apparmor rule, identical to the normal + rule, with an extra slash. Older kernels will use the new rule while + current kernels will just ignore it. + + [Test Case] + + On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no + longer fail to start. On Ubuntu Xenial (all architectures) there should + be no perceived change. + + Snap-confine is carefully tested with a battery of spread tests that can + be found here: https://github.com/snapcore/snap-confine/blob/master + /spread-tests/ + + The test cases are ran automatically for each pull request and for each + final release. + + All those tests were executed successfully for this release. As a simple + test case consider running any snap (any at all, including hello-world). + + [Regression Potential] + + * Regression potential is minimal as the fix simply adds another + apparmor rule that grants additional permissions that are only picked up + by old buggy kernels. + + * The fix was tested on Ubuntu via spread. + + [Other Info] + + * This bug is a part of a major SRU that brings snap-confine in Ubuntu + 16.04 in line with the current upstream release 1.0.41. + + * This bug was included in an earlier SRU and is now fixed in Ubuntu. I + am updating the template here to ensure that the process is fully + documented from 1.0.38 all the way up to the current upstream release + 1.0.41. + + * snap-confine is technically an integral part of snapd which has an SRU + exception and is allowed to introduce new features and take advantage of + accelerated procedure. For more information see + https://wiki.ubuntu.com/SnapdUpdates + + == # Pre-SRU bug description follows # == + + - Finding issues running snaps (hello-world). - Same issue even installing with --devmode. Even running the snap binary as root - Using a custom kernel, this is on an Nvidia Tegra X1 custom board. ===================================== ubuntu@localhost:~$ hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied ubuntu@localhost:~$ sudo hello-world.echo plop unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied dmesg shows: ===================================== [ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=911 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" [ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 parent=914 profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915 comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind" This is with the "hello-world" snap installed with "snap install" Output of an ls over the device file: ===================================== ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx /dev/pts: total 0 c--------- 1 root root 5, 2 Jan 1 1970 ptmx
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1584456 Title: apparmor denial using ptmx char device To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
