Public bug reported:
Following the approach described here
http://askubuntu.com/a/841787/231579 but for 'write' paths leads to an
error if one tries to use a $SNAP/<path> as a target path in a consumer.
snap --version
snap 2.23.6+17.04.1
snapd 2.23.6+17.04.1
series 16
ubuntu 17.04
kernel 4.10.0-14-generic
sudo strace -s512 snap run --shell vault-dmitriis.vault
...
mount("/var/snap/consul-dmitriis/common", "/snap/vault-dmitriis/x1/consul",
NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND, NULL) = -1 EACCES (Permission
denied)
In general nothing prevents a user from bind-mounting a read-write path
over a read-only directory but for snapd this is a problem. It might
have some consequences for garbage collection though since a consumer
will keep the target directory busy. Still, it seems like an issue to me
(if it's a feature - it should be documented).
Reproducer:
➜ snap-vault git:(master) ✗ snapcraft
...
➜ snap-vault git:(master) ✗ sudo snap install vault-
dmitriis_0.6.5_amd64.snap --dangerous
➜ snap-consul git:(master) ✗ sudo snap install
consul-dmitriis_0.8.0_amd64.snap --dangerous
consul-dmitriis 0.8.0 installed
➜ snap-vault git:(master) ✗ sudo snap connect vault-dmitriis:consul-tmp
consul-dmitriis:consul-tmp
➜ snap-vault git:(master) ✗ sudo snap run --shell vault-dmitriis.vault
cannot mount /var/snap/consul-dmitriis/common at /snap/vault-dmitriis/x1/consul
with options bind: Permission denied
strace:
https://paste.ubuntu.com/24339854/
Judging by the mount flags the code triggering it is:
7 mount-support.c sc_setup_mount_profiles 228 int flags =
MS_BIND | MS_RDONLY | MS_NODEV | MS_NOSUID;
https://paste.ubuntu.com/24339585/
Repos to build snaps to reproduce:
https://github.com/dshcherb/snap-vault/tree/bug-1681068
https://github.com/dshcherb/snap-consul/tree/891375978197b0cacbf5d108c2006262d4ac5968
** Affects: snapd (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Following the approach described here
http://askubuntu.com/a/841787/231579 but for 'write' paths leads to an
error if one tries to use a $SNAP/<path> as a target path in a consumer.
- snap --version
+ snap --version
snap 2.23.6+17.04.1
snapd 2.23.6+17.04.1
series 16
ubuntu 17.04
kernel 4.10.0-14-generic
-
- sudo strace -s512 snap run --shell vault-dmitriis.vault
+ sudo strace -s512 snap run --shell vault-dmitriis.vault
...
- mount("/var/snap/consul-dmitriis/common", "/snap/vault-dmitriis/x1/consul",
NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND, NULL) = -1 EACCES (Permission
denied)
+ mount("/var/snap/consul-dmitriis/common", "/snap/vault-dmitriis/x1/consul",
NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND, NULL) = -1 EACCES (Permission
denied)
In general nothing prevents a user from bind-mounting a read-write path
over a read-only directory but for snapd this is a problem. It might
have some consequences for garbage collection though since a consumer
will keep the target directory busy. Still, it seems like an issue to me
(if it's a feature - it should be documented).
Reproducer:
- ➜ snap-vault git:(master) ✗ snapcraft
+ ➜ snap-vault git:(master) ✗ snapcraft
...
➜ snap-vault git:(master) ✗ sudo snap install vault-
dmitriis_0.6.5_amd64.snap --dangerous
- ➜ snap-consul git:(master) ✗ sudo snap install
consul-dmitriis_0.8.0_amd64.snap --dangerous
+ ➜ snap-consul git:(master) ✗ sudo snap install
consul-dmitriis_0.8.0_amd64.snap --dangerous
consul-dmitriis 0.8.0 installed
-
- ➜ snap-vault git:(master) ✗ sudo snap connect vault-dmitriis:consul-tmp
consul-dmitriis:consul-tmp
+
+ ➜ snap-vault git:(master) ✗ sudo snap connect vault-dmitriis:consul-tmp
+ consul-dmitriis:consul-tmp
➜ snap-vault git:(master) ✗ sudo snap run --shell vault-dmitriis.vault
cannot mount /var/snap/consul-dmitriis/common at
/snap/vault-dmitriis/x1/consul with options bind: Permission denied
strace:
https://paste.ubuntu.com/24339854/
+
+ Repos to build snaps to reproduce:
+
+ https://github.com/dshcherb/snap-vault/tree/bug-1681068
+
https://github.com/dshcherb/snap-consul/tree/891375978197b0cacbf5d108c2006262d4ac5968
** Description changed:
Following the approach described here
http://askubuntu.com/a/841787/231579 but for 'write' paths leads to an
error if one tries to use a $SNAP/<path> as a target path in a consumer.
snap --version
snap 2.23.6+17.04.1
snapd 2.23.6+17.04.1
series 16
ubuntu 17.04
kernel 4.10.0-14-generic
sudo strace -s512 snap run --shell vault-dmitriis.vault
...
mount("/var/snap/consul-dmitriis/common", "/snap/vault-dmitriis/x1/consul",
NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND, NULL) = -1 EACCES (Permission
denied)
In general nothing prevents a user from bind-mounting a read-write path
over a read-only directory but for snapd this is a problem. It might
have some consequences for garbage collection though since a consumer
will keep the target directory busy. Still, it seems like an issue to me
(if it's a feature - it should be documented).
Reproducer:
➜ snap-vault git:(master) ✗ snapcraft
...
➜ snap-vault git:(master) ✗ sudo snap install vault-
dmitriis_0.6.5_amd64.snap --dangerous
➜ snap-consul git:(master) ✗ sudo snap install
consul-dmitriis_0.8.0_amd64.snap --dangerous
consul-dmitriis 0.8.0 installed
➜ snap-vault git:(master) ✗ sudo snap connect vault-dmitriis:consul-tmp
consul-dmitriis:consul-tmp
➜ snap-vault git:(master) ✗ sudo snap run --shell vault-dmitriis.vault
cannot mount /var/snap/consul-dmitriis/common at
/snap/vault-dmitriis/x1/consul with options bind: Permission denied
strace:
https://paste.ubuntu.com/24339854/
+ Judging by the mount flags the code triggering it is:
+
+ 7 mount-support.c sc_setup_mount_profiles 228 int flags =
+ MS_BIND | MS_RDONLY | MS_NODEV | MS_NOSUID;
+
+ https://paste.ubuntu.com/24339585/
+
Repos to build snaps to reproduce:
https://github.com/dshcherb/snap-vault/tree/bug-1681068
https://github.com/dshcherb/snap-consul/tree/891375978197b0cacbf5d108c2006262d4ac5968
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1681068
Title:
Unable to use content interface with read-write source paths bind
mounted over read-only targets
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1681068/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
