| 2016-09-20 18:41:16 |
Zygmunt Krynicki |
description |
snap-confine used to be invoked directly to run a set of applications under confinement. With the new flow in snapd the actual order of execution changed to:
snap-run -> snap-confine -> snap-exec -> application code
This requires tweaks to the apparmor policy of snap-confine. |
[Impact]
The architecture changes in snapd that involve the new snap-run -> snap-confine -> snap-exec flow require changes to the apparmor profile of snap-confine to function.
This bug was fixed by a member of the security team.
For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case is that snap applications continue to work normally, which they do since this change is already in Ubuntu.
Since this is a fundamental aspect of running snap applications this aspect is tested with each and every pull request and release by nearly every test (because each test tries to run snap applications).
[Regression Potential]
* Regression potential is minimal as the alternative is that snap applications cannot start at all.
* The fix was tested on Ubuntu with spread, successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
snap-confine used to be invoked directly to run a set of applications under confinement. With the new flow in snapd the actual order of execution changed to:
snap-run -> snap-confine -> snap-exec -> application code
This requires tweaks to the apparmor policy of snap-confine. |
|
