** Description changed:
+ Strictly confined snap commands that don't use networking in their
+ interfaces (eg, 'plugs: [ network ]') do not work for users with NFS
+ home because of AppArmor denials for networking.
+
+ WORKAROUND:
+ Add the following to /etc/apparmor.d/abstractions/base and
/etc/apparmor.d/usr.lib.snapd.snap-confine:
+ network inet,
+ network inet6,
+
+ Then reload policy with:
+ $ sudo apparmor_parser -r /etc/apparmor.d/usr.lib.snapd.snap-confine
+ $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.*
+
+ Unfortunately this adds networking to all profiles on the system. snapd
+ could be updated to conditionally add these rules to snap-confine and
+ non-daemon commands to help users. When fine-grained network mediation
+ is implemented in AppArmor, it may be able to help limit the scope of
+ the added rules (but this would need to be researched, NFS in the kernel
+ is a bit twisty).
+
+
+ = Original report =
+
Our home directories have the following structure:
/home/u/user.name
where u is the first letter of the users first name. The reason for this
structure is the large number of users. The nfs mount point is /home
The file /etc/apparmor.d/tunables/home.d/ubuntu contains the following
line:
@{HOMEDIRS}+=/home/u/
(for one example user)
@{HOMEDIRS}+=/home/*/
- did also not work.
+ did also not work.
Starting a snap (in this example case inkscape) results in the following
error message:
cannot change current working directory to the original directory: Permission
denied
For a self-created snap in classic mode, I get the following error:
cannot create user data directory: /home/u/user.name/snap/mysnap/x1:
Permission denied
The journal contains the following messages:
kernel: nfs: RPC call returned error 13
kernel: audit: type=1400 audit(1486481365.925:127): apparmor="DENIED"
operation="sendmsg" profile="/usr/lib/snapd/snap-confine" pid=25069
comm="snap-confine" laddr=x.x.x.x lport=782 faddr=x.x.x.x fport=2049
family="inet" sock_type="stream" protocol=6 requested_mask="send"
denied_mask="send"
Installed packages:
snapd/xenial-proposed,now 2.22.2 amd64 [installed]
snap-confine/xenial-proposed,now 2.22.2 amd64 [installed]
ubuntu-core-launcher/xenial-proposed,now 2.22.2 amd64 [installed]
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1662552
Title:
snaps don't work with NFS home
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
