Ubuntu
click-apparmor package

Policy doesn't update when installing Snappy app with same version

Bug #1422744 reported by Nikolay
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
click-apparmor (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

I tried to build snap package for Ubuntu Snappy build for Beagle Bone Black. I make this package for IoT device, it contains AllJoyn ( https://allseenalliance.org/developers/learn ), it require lots of dbus features. That's why I have to write my own apparmor profile.

After first attempt I've got this message:
[ 499.786552] audit: type=1400 audit(1421754939.200:22): apparmor="DENIED" operation="bind" profile="my-app_my-app-service_1.0.0" pid=1453 comm="alljoyn-daemon" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@alljoyn"

Then I've added line to profile:
  unix (create,bind,listen,send,receive,setopt,connect) type=stream,

rebuild the snap, call 'snappy-remote install', but this message still appears. I even removed profile file in /var/lib/apparmor/profiles dir (that line was in file) and reboot board, but this message still appears.

Only after complete snap removal(snappy uninstall) and clean install this message disappear.

Tags: snappy
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. I'm guessing you didn't rev the version and instead installed the same version. There is a limitation in 'click' (the underlying packaging tool that is being replaced) that makes it not run its hooks when installing a package with the same version. If you are using the normal confinement ("apparmor" is used in the underlying click manifest), then you can workaround this by performing the following after installing a package with the same version:
$ sudo aa-clickhook -f

If you are supplying your own profile ("apparmor-profile" is used in the underlying click manifest), then you can workaround this by performing the following after installing a package with the same version:
$ sudo aa-profile-hook -f

Also, Is there any reason for this bug to be private?

affects: apparmor → click-apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is a known limitation in click. Since we will be moving away from click in favor of snappy and because known workarounds exists, marking this bug as Won't Fix.

summary: - Policy doesn't update while updating Snappy app
+ Policy doesn't update when installing Snappy app with same version
no longer affects: click-apparmor
Changed in click-apparmor (Ubuntu):
status: New → Won't Fix
Nikolay (2xl)
information type: Private Security → Public
Revision history for this message
Nikolay (2xl) wrote :

yeah, I didn't change snap revision.
Thank you for fast answer and clear explanation.
There is no reason to make it private. I've changed it to public. Most probably, I've incidentally click somewhere on page, sorry for that.

Revision history for this message
Andrea Bernabei (faenil) wrote :

Since the phones are still using click, we have to fix it on click side as well.

 I created https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1549369 to track that

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.