2016-09-08 20:50:28 |
Jamie Strandboge |
bug |
|
|
added bug |
2016-09-08 21:01:18 |
Zygmunt Krynicki |
snap-confine: status |
In Progress |
Fix Committed |
|
2016-09-20 06:41:47 |
Zygmunt Krynicki |
snap-confine: status |
Fix Committed |
Fix Released |
|
2016-09-20 18:36:06 |
Zygmunt Krynicki |
description |
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
[Impact]
When snap-confine itself is invoked over an SSH connection, with ssh using non-standard Apparmor confinement, snap-confine would fail.
This change was introduced by a member of the security team who is using this non-standard configuration.
[Test Case]
TBD
[Regression Potential]
* Minimal, snap-confine has a more permissive apparmor profile that allows it to access /dev/pts/[0-9]* for both reading and writing.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
|
2016-09-21 00:54:40 |
Michael Hudson-Doyle |
bug task added |
|
snap-confine (Ubuntu) |
|
2016-09-21 00:55:16 |
Michael Hudson-Doyle |
snap-confine (Ubuntu): status |
New |
Fix Released |
|
2016-09-21 00:57:10 |
Michael Hudson-Doyle |
nominated for series |
|
Ubuntu Xenial |
|
2016-09-21 00:57:10 |
Michael Hudson-Doyle |
bug task added |
|
snap-confine (Ubuntu Xenial) |
|
2016-09-21 03:47:59 |
Michael Hudson-Doyle |
snap-confine (Ubuntu Xenial): status |
New |
In Progress |
|
2016-09-21 11:52:25 |
Jamie Strandboge |
description |
[Impact]
When snap-confine itself is invoked over an SSH connection, with ssh using non-standard Apparmor confinement, snap-confine would fail.
This change was introduced by a member of the security team who is using this non-standard configuration.
[Test Case]
TBD
[Regression Potential]
* Minimal, snap-confine has a more permissive apparmor profile that allows it to access /dev/pts/[0-9]* for both reading and writing.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
[Impact]
When snap-confine itself is invoked over an SSH connection, with ssh using non-standard Apparmor confinement, snap-confine would fail.
This change was introduced by a member of the security team who is using this non-standard configuration.
[Test Case]
Ensure that the policy compiles and does not regress using snaps over ssh. Eg:
$ ssh foo
$ sudo snap install hello-world
$ hello-world
[Regression Potential]
* Minimal, snap-confine has a more permissive apparmor profile that allows it to access /dev/pts/[0-9]* for both reading and writing.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
|
2016-09-21 11:52:49 |
Jamie Strandboge |
description |
[Impact]
When snap-confine itself is invoked over an SSH connection, with ssh using non-standard Apparmor confinement, snap-confine would fail.
This change was introduced by a member of the security team who is using this non-standard configuration.
[Test Case]
Ensure that the policy compiles and does not regress using snaps over ssh. Eg:
$ ssh foo
$ sudo snap install hello-world
$ hello-world
[Regression Potential]
* Minimal, snap-confine has a more permissive apparmor profile that allows it to access /dev/pts/[0-9]* for both reading and writing.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
[Impact]
When snap-confine itself is invoked over an SSH connection, with sshd using non-standard Apparmor confinement with pam-apparmor, snap-confine would fail.
This change was introduced by a member of the security team who is using this non-standard configuration.
[Test Case]
Ensure that the policy compiles and does not regress using snaps over ssh. Eg:
$ ssh foo
$ sudo snap install hello-world
$ hello-world
[Regression Potential]
* Minimal, snap-confine has a more permissive apparmor profile that allows it to access /dev/pts/[0-9]* for both reading and writing.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
Logging into an Ubuntu 16.04 machine that has a confined sshd and running 'hello-world', I see this denial:
kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98): apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
What is happening is that the fd is being remediated since it is not coming from an unconfined process. Fix is:
/dev/pts/[0-9]* rw, |
|
2017-03-07 17:35:23 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |