snap-confine doesn't work with new snap-run/snap-exec flow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snap-confine |
Fix Released
|
Critical
|
Zygmunt Krynicki | ||
snap-confine (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The architecture changes in snapd that involve the new snap-run -> snap-confine -> snap-exec flow require changes to the apparmor profile of snap-confine to function.
This bug was fixed by a member of the security team.
For more information about the execution environment, please see this article http://
[Test Case]
The test case is that snap applications continue to work normally, which they do since this change is already in Ubuntu.
Since this is a fundamental aspect of running snap applications this aspect is tested with each and every pull request and release by nearly every test (because each test tries to run snap applications).
[Regression Potential]
* Regression potential is minimal as the alternative is that snap applications cannot start at all.
* The fix was tested on Ubuntu with spread, successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https:/
== # Pre-SRU bug description follows # ==
snap-confine used to be invoked directly to run a set of applications under confinement. With the new flow in snapd the actual order of execution changed to:
snap-run -> snap-confine -> snap-exec -> application code
This requires tweaks to the apparmor policy of snap-confine.
Changed in snap-confine: | |
importance: | Undecided → Critical |
status: | New → In Progress |
milestone: | none → 1.0.41 |
Changed in snap-confine: | |
assignee: | nobody → Zygmunt Krynicki (zyga) |
Changed in snap-confine: | |
status: | In Progress → Fix Committed |
Changed in snap-confine: | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in snap-confine (Ubuntu): | |
status: | New → Fix Released |
Changed in snap-confine (Ubuntu Xenial): | |
status: | New → In Progress |
NB: http:// paste.ubuntu. com/23146292/