| 2016-05-22 11:09:55 |
Pedro Coca |
bug |
|
|
added bug |
| 2016-05-23 15:06:49 |
Jamie Strandboge |
snappy: status |
New |
Incomplete |
|
| 2016-05-23 17:50:37 |
Jamie Strandboge |
tags |
|
apparmor |
|
| 2016-05-24 09:03:52 |
Yann Sionneau |
bug |
|
|
added subscriber Yann Sionneau |
| 2016-05-24 09:08:47 |
Patrick Boettcher |
bug |
|
|
added subscriber Patrick Boettcher |
| 2016-05-24 09:23:45 |
Yann Sionneau |
snappy: status |
Incomplete |
New |
|
| 2016-05-25 16:51:21 |
Jamie Strandboge |
snappy: status |
New |
Incomplete |
|
| 2016-05-26 15:37:01 |
Yann Sionneau |
snappy: status |
Incomplete |
New |
|
| 2016-05-26 23:48:30 |
Tyler Hicks |
snappy: status |
New |
Confirmed |
|
| 2016-08-12 16:24:19 |
Jamie Strandboge |
bug task added |
|
linux (Ubuntu) |
|
| 2016-08-12 16:24:32 |
Jamie Strandboge |
affects |
snappy |
snap-confine |
|
| 2016-08-12 16:24:45 |
Jamie Strandboge |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2016-08-12 16:24:54 |
Jamie Strandboge |
linux (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2016-08-12 16:25:09 |
Jamie Strandboge |
snap-confine: status |
Confirmed |
In Progress |
|
| 2016-08-12 16:25:13 |
Jamie Strandboge |
snap-confine: assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2016-08-12 17:42:53 |
Zygmunt Krynicki |
snap-confine: milestone |
|
1.0.40 |
|
| 2016-08-12 17:42:57 |
Zygmunt Krynicki |
snap-confine: status |
In Progress |
Fix Committed |
|
| 2016-08-22 11:42:48 |
Zygmunt Krynicki |
snap-confine: status |
Fix Committed |
Fix Released |
|
| 2016-09-06 12:57:44 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-09-06 12:57:51 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
| 2016-09-06 12:57:59 |
Martin Pitt |
tags |
apparmor |
apparmor verification-needed |
|
| 2016-09-20 13:01:03 |
Zygmunt Krynicki |
description |
- Finding issues running snaps (hello-world).
- Same issue even installing with --devmode. Even running the snap binary as root
- Using a custom kernel, this is on an Nvidia Tegra X1 custom board.
=====================================
ubuntu@localhost:~$ hello-world.echo plop
unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
ubuntu@localhost:~$ sudo hello-world.echo plop
unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
dmesg shows:
=====================================
[ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13 parent=911
profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
[ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13 parent=914
profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
This is with the "hello-world" snap installed with "snap install"
Output of an ls over the device file:
=====================================
ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx
/dev/pts:
total 0
c--------- 1 root root 5, 2 Jan 1 1970 ptmx |
[Impact]
snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash).
This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it.
[Test Case]
On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change.
Snap-confine is carefully tested with a battery of spread tests that can be found here: https://github.com/snapcore/snap-confine/blob/master/spread-tests/
The test cases are ran automatically for each pull request and for each final release.
All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world).
[Regression Potential]
* Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels.
* The fix was tested on Ubuntu via spread.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
- Finding issues running snaps (hello-world).
- Same issue even installing with --devmode. Even running the snap binary as root
- Using a custom kernel, this is on an Nvidia Tegra X1 custom board.
=====================================
ubuntu@localhost:~$ hello-world.echo plop
unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
ubuntu@localhost:~$ sudo hello-world.echo plop
unable to mount '/dev/pts/ptmx'->'/dev/ptmx'. errmsg: Permission denied
dmesg shows:
=====================================
[ 302.838046] type=1400 audit(1455208371.989:16): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13 parent=911
profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=912
comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
[ 308.080449] type=1400 audit(1455208377.229:17): apparmor="DENIED"
operation="mount" info="failed mntpnt match" error=-13 parent=914
profile="/usr/bin/ubuntu-core-launcher" name="/dev/ptmx/" pid=915
comm="ubuntu-core-lau" srcname="/dev/pts/ptmx/" flags="rw, bind"
This is with the "hello-world" snap installed with "snap install"
Output of an ls over the device file:
=====================================
ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx
/dev/pts:
total 0
c--------- 1 root root 5, 2 Jan 1 1970 ptmx |
|
| 2016-09-21 03:33:15 |
Michael Hudson-Doyle |
bug task added |
|
snap-confine (Ubuntu) |
|
| 2016-09-21 03:35:09 |
Michael Hudson-Doyle |
snap-confine (Ubuntu): status |
New |
Fix Released |
|
| 2016-09-21 03:42:27 |
Michael Hudson-Doyle |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-09-21 03:42:27 |
Michael Hudson-Doyle |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2016-09-21 03:42:27 |
Michael Hudson-Doyle |
bug task added |
|
snap-confine (Ubuntu Xenial) |
|
| 2016-09-21 03:43:01 |
Michael Hudson-Doyle |
bug task deleted |
linux (Ubuntu Xenial) |
|
|
| 2016-09-21 03:43:08 |
Michael Hudson-Doyle |
snap-confine (Ubuntu Xenial): status |
New |
In Progress |
|
| 2016-09-27 15:34:15 |
Zygmunt Krynicki |
tags |
apparmor verification-needed |
apparmor verification-done |
|
| 2016-09-27 15:43:34 |
Launchpad Janitor |
snap-confine (Ubuntu Xenial): status |
In Progress |
Fix Released |
|
| 2016-09-27 15:43:48 |
Andy Whitcroft |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
