** Description changed:

+ [Impact]
  
- - Finding issues running snaps (hello-world). 
+ snap-confine would refuse to work on an older kernel running on an
+ Nvidia Tegra X1 board. This was traced to a bug in older version of
+ apparmor there that required directory-like syntax for /dev/pts/ptmx
+ (with a trailing slash).
+ 
+ This bug is fixed by adding an apparmor rule, identical to the normal
+ rule, with an extra slash. Older kernels will use the new rule while
+ current kernels will just ignore it.
+ 
+ [Test Case]
+ 
+ On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no
+ longer fail to start. On Ubuntu Xenial (all architectures) there should
+ be no perceived change.
+ 
+ Snap-confine is carefully tested with a battery of spread tests that can
+ be found here: https://github.com/snapcore/snap-confine/blob/master
+ /spread-tests/
+ 
+ The test cases are ran automatically for each pull request and for each
+ final release.
+ 
+ All those tests were executed successfully for this release. As a simple
+ test case consider running any snap (any at all, including hello-world).
+ 
+ [Regression Potential]
+ 
+  * Regression potential is minimal as the fix simply adds another
+ apparmor rule that grants additional permissions that are only picked up
+ by old buggy kernels.
+ 
+ * The fix was tested on Ubuntu via spread.
+ 
+ [Other Info]
+ 
+ * This bug is a part of a major SRU that brings snap-confine in Ubuntu
+ 16.04 in line with the current upstream release 1.0.41.
+ 
+ * This bug was included in an earlier SRU and is now fixed in Ubuntu. I
+ am updating the template here to ensure that the process is fully
+ documented from 1.0.38 all the way up to the current upstream release
+ 1.0.41.
+ 
+ * snap-confine is technically an integral part of snapd which has an SRU
+ exception and is allowed to introduce new features and take advantage of
+ accelerated procedure. For more information see
+ https://wiki.ubuntu.com/SnapdUpdates
+ 
+ == # Pre-SRU bug description follows # ==
+ 
+ - Finding issues running snaps (hello-world).
  - Same issue even installing with --devmode. Even running the snap binary as 
root
  - Using a custom kernel, this is on an Nvidia Tegra X1 custom board.
  
  =====================================
  
  ubuntu@localhost:~$ hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  ubuntu@localhost:~$ sudo hello-world.echo plop
  unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
  
  dmesg shows:
  =====================================
  
  [  302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=911
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  [  308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
  operation="mount" info="failed mntpnt match" error=-13 parent=914
  profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
  comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
  
  This is with the "hello-world" snap installed with "snap install"
  
  Output of an ls over the device file:
  =====================================
  
  ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
  crw-rw-rw- 1 root tty  5, 2 Feb 11 16:28 /dev/ptmx
  
  /dev/pts:
  total 0
  c--------- 1 root root 5, 2 Jan  1  1970 ptmx

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584456

Title:
  apparmor denial using ptmx char device

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1584456/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to