snap-confine doesn't work from per-snap namespaces it creates
Bug #1644439 reported by
Zygmunt Krynicki
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snap-confine |
Fix Released
|
High
|
Zygmunt Krynicki | ||
Bug Description
This is a mirror of the following github issue:
https:/
Technically this is caused by the fact that per-snap namesapce doesn't contain /run/snapd/ns/ from the outer, main mount namespace as it has to be a privately shared mount point to satisfy kernel requirements.
As a solution snap-confine should measure the namespace of pid 1 and its own namespace and setns to the pid 1 namespace if they differ, before trying to create a derivative namespace of any kind.
| Changed in snap-confine: | |
| milestone: | none → 1.0.45 |
| importance: | Undecided → High |
| status: | New → In Progress |
| assignee: | nobody → Zygmunt Krynicki (zyga) |
Revision history for this message
| Chris Wayne (cwayne) wrote | #1 |
| Changed in snap-confine: | |
| milestone: | 2.19 → none |
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #2 |
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #3 |
Revision history for this message
| Chris Wayne (cwayne) wrote | #4 |
Revision history for this message
| Jerry Kao (jerry.kao) wrote | #5 |
Revision history for this message
| Zygmunt Krynicki (zyga) wrote | #6 |
| Changed in snap-confine: | |
| status: | In Progress → Fix Committed |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Any update on this?