thefuck snap gets an apparmor denial even in classic confinement

This is snap-confine, not the snap getting the denial. Snap-confine itself should not need to access /dev/tty. Do you have something unusual in your setup that might explain this?

Do you mean, in my machine? I don't think so, it's a xenial machine in canonistack created a few weeks ago.

$ snap list
Name Version Rev Developer Notes
core 16.04.1 888 canonical -
enhance master x1 -
ghb0t master x1 -
httpie master x1 -
snappy-debug 0.28 26 canonical -
thefuck master x1 classic
$ snap --version
snap 2.21
snapd 2.21
series 16
ubuntu 16.04

What other information would be useful for you?

Hmm, not sure. I'll consult with the security team. Maybe remote access is a factor here.

it surely is:

ogra@localhost:~$ env|grep TTY
SSH_TTY=/dev/pts/0

I can reproduce the denial, but if I add this rule to /etc/apparmor.d/usr.lib.snapd.snap-confine:

/dev/tty rw,

then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.lib.snapd.snap-confine

and then run the program, it never returns and there are no denials. I think this may have more to do with the interaction between the program and snap-confine (ie, it isn't expecting 'snap run -> snap-confine -> exec()').

Can you provide a working snap or instructions on how to reproduce?

I should mention that I can reproduce the denial outside of ssh (and I see it in ssh). I also think the denial may just be noise....

I've attached the snap to reproduce it.

$ sudo snap install thefuck*.snap --dangerous --classic
$ thefuck --alias

I ran this locally in my machine.

I can reproduce this:

$ az
runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: runtime/cgo: runtime/cgo: runtime/cgo: pthread_create failed: Resource temporarily unavailable
^C

From journalctl:

Mar 09 07:59:56 elsa audit[26168]: AVC apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/tty" pid=26168 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=501 ouid=0
Mar 09 07:59:56 elsa kernel: audit: type=1400 audit(1489067996.514:236): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/tty" pid=26168 comm="snap-confine" requested_mask="wr" denied_mask="wr" fsuid=501 ouid=0

$ snap list
Name Version Rev Developer Notes
az 2.0.0+dev x6 classic
canonical-pc-linux 4.4.0-18+20160419.13-26 24 canonical -
core 16-2 1337 canonical -

And it finally died with:

runtime/cgo: pthread_create failed: Resource temporarily unavailable
runtime/cgo: runtime/cgo: need to run as root or suid

may I mention that this snap has no built python3 interpreter so the `classic` part might not be as portable as desired until major snapd/core work happens to support this.

This looks like a dupe of Bug #1669306 to me. If /snap/thefuck/current/command-thefuck.wrapper has no mention of python or python3 then it is.

Yes, Bug #1669306. I can reproduce the failure, and the following snapcraft.yaml with an altered command: works fine:

name: thefuck
version: master
summary: Magnificent app which corrects your previous console command
description: |
  The Fuck tries to match a rule for the previous command, creates a new
  command using the matched rule and runs it

grade: devel
confinement: classic

apps:
  thefuck:
    command: usr/bin/python3 $SNAP/bin/thefuck

parts:
  thefuck:
    source: .
    plugin: python

thanks Stuart!

Is this still an issue?