Public bug reported:
The docker-support and multipass-support interfaces allow access to
/sbin/apparmor_parser.
/sbin/apparmor_parser is supplied by the core, core18 and core20 base
snaps.
/etc/apparmor* comes from the host, which on groovy has apparmor3.
Snaps using docker-support and multipass-support are completely broken
on groovy when using core and core18. On core20, policy loads with
warnings.
Transparent solution is to ship the /etc/apparmor and /etc/apparmor.d in
the base snaps, and bind mount these into place (eg, via snap-confine).
Snaps can fix themselves with layouts.
Note, there are plans to vendor apparmor3 into snapd for cross-distro
support and that will happen in the 21.04 cycle. However, that doesn't
fix snaps that plugs docker-support and multipass-support and load their
own policy.
# core
$ cat /tmp/core.profile
#include <tunables/global>
profile test-core-profile {
#include <abstractions/base>
}
$ sudo /snap/core/current/sbin/apparmor_parser -r /tmp/core.profile
/snap/core/current/sbin/apparmor_parser: unknown option (policy-features) in
config file.
AppArmor parser error for /tmp/core.profile in /etc/apparmor.d/tunables/etc at
line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core
[1]
# core18
$ cat /tmp/core18.profile
#include <tunables/global>
profile test-core18-parser {
#include <abstractions/base>
}
$ sudo /snap/core18/current/sbin/apparmor_parser -r /tmp/core18.profile
/snap/core18/current/sbin/apparmor_parser: unknown option (policy-features) in
config file.
AppArmor parser error for /tmp/core18.profile in /etc/apparmor.d/tunables/etc
at line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core18
[1]
# core20
$ cat /tmp/core20.profile
#include <tunables/global>
profile test-core20-parser {
#include <abstractions/base>
}
$ sudo /snap/core20/current/sbin/apparmor_parser -r /tmp/core20.profile
/snap/core20/current/sbin/apparmor_parser: unknown option (policy-features) in
config file.
Warning from /tmp/core20.profile (/etc/apparmor.d/abstractions/base line 13):
/snap/core20/current/sbin/apparmor_parser: Profile abi not supported, falling
back to system abi.
$ sudo aa-status | grep test-core20
test-core20-parser
** Affects: snapd
Importance: Critical
Assignee: Alex Murray (alexmurray)
Status: Triaged
** Affects: snapd (Ubuntu)
Importance: Critical
Status: Triaged
** Changed in: snapd
Status: New => Triaged
** Changed in: snapd
Importance: Undecided => Critical
** Changed in: snapd
Assignee: (unassigned) => Alex Murray (alexmurray)
** Also affects: snapd (Ubuntu)
Importance: Undecided
Status: New
** Changed in: snapd (Ubuntu)
Status: New => Triaged
** Changed in: snapd (Ubuntu)
Importance: Undecided => Critical
** Changed in: snapd (Ubuntu)
Milestone: None => ubuntu-20.10
** Description changed:
The docker-support and multipass-support interfaces allow access to
/sbin/apparmor_parser.
/sbin/apparmor_parser is supplied by the core, core18 and core20 base
snaps.
/etc/apparmor* comes from the host, which on groovy has apparmor3.
Snaps using docker-support and multipass-support are completely broken
on groovy when using core and core18. On core20, policy loads with
warnings.
Transparent solution is to ship the /etc/apparmor and /etc/apparmor.d in
the base snaps, and bind mount these into place (eg, via snap-confine).
Snaps can fix themselves with layouts.
Note, there are plans to vendor apparmor3 into snapd for cross-distro
support and that will happen in the 21.04 cycle. However, that doesn't
- fix snaps that plugs docker-support and multipass-support.
-
+ fix snaps that plugs docker-support and multipass-support and load their
+ own policy.
# core
- $ cat /tmp/core.profile
+ $ cat /tmp/core.profile
#include <tunables/global>
profile test-core-profile {
- #include <abstractions/base>
-
+ #include <abstractions/base>
}
$ sudo /snap/core/current/sbin/apparmor_parser -r /tmp/core.profile
/snap/core/current/sbin/apparmor_parser: unknown option (policy-features) in
config file.
AppArmor parser error for /tmp/core.profile in /etc/apparmor.d/tunables/etc
at line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core
[1]
-
# core18
- $ cat /tmp/core18.profile
+ $ cat /tmp/core18.profile
#include <tunables/global>
profile test-core18-parser {
- #include <abstractions/base>
-
+ #include <abstractions/base>
}
$ sudo /snap/core18/current/sbin/apparmor_parser -r /tmp/core18.profile
/snap/core18/current/sbin/apparmor_parser: unknown option (policy-features)
in config file.
AppArmor parser error for /tmp/core18.profile in /etc/apparmor.d/tunables/etc
at line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core18
[1]
-
# core20
- $ cat /tmp/core20.profile
+ $ cat /tmp/core20.profile
#include <tunables/global>
profile test-core20-parser {
- #include <abstractions/base>
-
+ #include <abstractions/base>
}
$ sudo /snap/core20/current/sbin/apparmor_parser -r /tmp/core20.profile
/snap/core20/current/sbin/apparmor_parser: unknown option (policy-features)
in config file.
Warning from /tmp/core20.profile (/etc/apparmor.d/abstractions/base line 13):
/snap/core20/current/sbin/apparmor_parser: Profile abi not supported, falling
back to system abi.
$ sudo aa-status | grep test-core20
- test-core20-parser
+ test-core20-parser
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898038
Title:
docker-support/multipass-support broken with system apparmor3 (20.10)
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1898038/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
