Snappy

"snap refresh" doesn't update apparmor rule

Bug #1573247 reported by Chad Miller on 2016-04-21

This bug report is a duplicate of: Bug #1572463: setup-profile configures security based on snap.Info from DisconnectSnap, which still sees older revision. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	New	Undecided	Unassigned

Bug Description

Install package. Refresh to get new version. Reboot. Service doesn't start because the apparmor rules are for the previous version.

$ snap changes
ID Status Spawn Ready Summary
1 Error 2016-04-19T22:46:05Z 2016-04-19T22:46:18Z Install "tor-middle-relay" snap
2 Done 2016-04-20T19:32:39Z 2016-04-20T19:32:55Z Install "tor-middle-relay" snap
3 Done 2016-04-21T15:01:43Z 2016-04-21T15:01:49Z Refresh "tor-middle-relay" snap
4 Done 2016-04-21T15:55:57Z 2016-04-21T15:55:58Z Remove "tor-middle-relay" snap
5 Done 2016-04-21T15:56:01Z 2016-04-21T15:56:02Z Remove "tor-middle-relay" snap
6 Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Install "tor-middle-relay" snap
7 Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Refresh "tor-middle-relay" snap
8 Error 2016-04-21T18:02:39Z 2016-04-21T18:02:40Z Refresh "tor-middle-relay" snap
9 Error 2016-04-21T18:31:42Z 2016-04-21T18:31:43Z Refresh "tor-middle-relay" snap

### that is, 6 installed, 7 upgraded

$ snap changes 6
Status Spawn Ready Summary
Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Download snap "tor-middle-relay" from channel "stable"
Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Mount snap "tor-middle-relay"
Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Copy snap "tor-middle-relay" data
Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Setup snap "tor-middle-relay" security profiles
Done 2016-04-21T15:56:28Z 2016-04-21T15:57:01Z Make snap "tor-middle-relay" available to the system

$ snap changes 7
Status Spawn Ready Summary
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Download snap "tor-middle-relay" from channel "stable"
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Mount snap "tor-middle-relay"
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Make current revision for snap "tor-middle-relay" unavailable
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Copy snap "tor-middle-relay" data
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Setup snap "tor-middle-relay" security profiles
Done 2016-04-21T18:02:18Z 2016-04-21T18:02:21Z Make snap "tor-middle-relay" available to the system

### now reboot

$ journalctl |grep tor-
Apr 21 16:00:18 zippy systemd[1]: Mounting Squashfs mount unit for tor-middle-relay...
Apr 21 16:00:18 zippy systemd[1]: Mounting Squashfs mount unit for tor-middle-relay...
Apr 21 16:00:19 zippy systemd[1]: Mounted Squashfs mount unit for tor-middle-relay.
Apr 21 16:00:19 zippy systemd[1]: Mounted Squashfs mount unit for tor-middle-relay.
Apr 21 16:00:25 zippy audit[2127]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.tor-middle-relay.daemon" pid=2127 comm="apparmor_parser"
Apr 21 16:00:28 zippy systemd[1]: Started service daemon for snap tor-middle-relay - autogenerated DO NO EDIT.
Apr 21 16:00:29 zippy audit[2233]: AVC apparmor="DENIED" operation="open" profile="snap.tor-middle-relay.daemon" name="/snap/tor-middle-relay/20/command-daemon.wrapper" pid=2233 comm="command-daemon." requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 21 16:00:29 zippy ubuntu-core-launcher[2233]: /bin/sh: 0: Can't open /snap/tor-middle-relay/20/command-daemon.wrapper
Apr 21 16:00:29 zippy systemd[1]: snap.tor-middle-relay.daemon.service: Main process exited, code=exited, status=127/n/a
Apr 21 16:00:29 zippy systemd[1]: snap.tor-middle-relay.daemon.service: Unit entered failed state.
Apr 21 16:00:29 zippy systemd[1]: snap.tor-middle-relay.daemon.service: Failed with result 'exit-code'.

### service did not start! Apparmor denial!

$ grep SNAP_REVISION /var/lib/snapd/apparmor/profiles/snap.tor-middle-relay.daemon
@{SNAP_REVISION}="15"
  @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
  @{INSTALL_DIR}/@{SNAP_NAME}/@{SNAP_REVISION}/** mrklix,
  owner @{HOME}/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
  /var/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** wl,
  /{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/ r,
  /{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/** mrwlkix,

### Revision 15 is the old package!

$ mount |grep tor-
/var/lib/snapd/snaps/tor-middle-relay_20.snap on /snap/tor-middle-relay/20 type squashfs (ro,relatime)
/var/lib/snapd/snaps/tor-middle-relay_15.snap on /snap/tor-middle-relay/15 type squashfs (ro,relatime)

See original description

Chad Miller (cmiller) on 2016-04-21

description:

updated

Revision history for this message

Michael Vogt (mvo) wrote on 2016-04-26:

This looks very much like a dupe of #1572463 - please unduplicate if that is not the case.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1572463 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.