cannot create $SNAP_USER_DATA when using ecryptfs and sudo
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snap-confine |
Fix Released
|
High
|
Zygmunt Krynicki | ||
| snap-confine (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
[Impact]
The code that creates the $SNAP_USER_DATA directory in snap-confine is prevented from running by the apparmor profile that confines snap-confine itself when the home directory is encrypted and the user runs as root, e.g. via sudo.
This bug is fixed by lowering the restrictions placed on apparmor rules that govern access to the encrypted home directory files. The relevant rules no longer requires the process (running as root) to match the owner of the files (typically the owner of the home directory)
[Test Case]
The test case can be found here:
https:/
This test case needs to be executed manually on a computer with encrypted home directory. Spread does not currently run in such a configuration so a manual check is worth while.
[Regression Potential]
* Regression potential is minimal as the fix simply makes two apparmor rules less restrictive. The change was reviewed and approved by the security team.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https:/
== # Pre-SRU bug description follows # ==
Because of the two apparmor rules on snap-confine, attempts to create user data directory from snap-confine will fail when the user is using new-style encrypted home directory and sudo to start a snap.
TEST CASE:
1. sudo adduser --encrypt-home test-encrypted
2. Ensure that the test-encrypted user can use sudo, e.g. add it to the sudo group
3. Log in as test-encrypted user
4. Install the hello-world snap
5. Run sudo /snap/bin/
6. Verify that `hello-world` fails to run
7. Install snap-confine from xenial-propsoed
8. verify that `hello-world` runs now
The following patch makes the problem go away:
diff --git a/debian/
index f3e6308..aeb17bd 100644
--- a/debian/
+++ b/debian/
@@ -155,6 +155,6 @@
owner @{HOME}/.Private/ r,
owner @{HOME}/.Private/** mrixwlk,
# new-style encrypted $HOME
- owner @{HOMEDIRS}
- owner @{HOMEDIRS}
+ @{HOMEDIRS}
+ @{HOMEDIRS}
}
| Changed in snap-confine: | |
| importance: | Undecided → High |
| assignee: | nobody → Zygmunt Krynicki (zyga) |
| milestone: | none → 1.0.40 |
| Zygmunt Krynicki (zyga) wrote | #1 |
| Changed in snap-confine: | |
| status: | New → In Progress |
| Changed in snap-confine: | |
| status: | In Progress → Fix Committed |
| Adam Conrad (adconrad) wrote Please test proposed package | #2 |
| Changed in snap-confine (Ubuntu Xenial): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed |
| description: | updated |
| Federico Gimenez (fgimenez) wrote | #3 |
| tags: |
added: verification-done removed: verification-needed |
| Changed in snap-confine: | |
| status: | Fix Committed → Fix Released |
| Michael Vogt (mvo) wrote | #4 |
| Changed in snap-confine (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in snap-confine (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| Chris J Arges (arges) wrote Update Released | #7 |
| description: | updated |
This is fixed by the following patch in a pull request to snap-confine
https:/