Apparmor denies bind to abstract unix sockets such as @/var/lib/juju/mutex-/store-lock

Bug #1604967 reported by Nicholas Skaggs on 2016-07-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Jamie Strandboge

Bug Description

After snapping up the juju client, attempting to perform a bootstrap gives me:

Log: apparmor="DENIED" operation="bind" profile="snap.juju.juju" pid=11972 comm="juju" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/var/lib/juju/mutex-/store-lock"

tags: added: snapd-interface
summary: - Apparmor denies bind to /var/lib/juju/mutex-/store-lock
+ Apparmor denies bind to abstract unix sockets such as
+ @/var/lib/juju/mutex-/store-lock
Changed in snappy:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
tags: added: conjure
Nicholas Skaggs (nskaggs) wrote :

Jamie, what's the status on this?

Jamie Strandboge (jdstrand) wrote :

@Nicholas, planned but not implemented yet. It was deprioritized to make room for various GA work but is starting to bubble up to the top of the queue again.

Jamie Strandboge (jdstrand) wrote :

Is this still an issue for the juju snap?

Changed in snappy:
status: Triaged → Incomplete
affects: snappy → snapd
Adam Stokes (adam-stokes) wrote :

Yes this is still an issue with juju confined snaps

Zygmunt Krynicki (zyga) on 2017-08-18
Changed in snapd:
status: Incomplete → Triaged
Zygmunt Krynicki (zyga) wrote :

Is this an issue with apparmor proper or with snapd's use of apparmor for interfaces and confinement in general? Do we need to add a rule to one of the existing interfaces? Is this a new interface for juju specifically?

Changed in snapd:
status: Triaged → Incomplete
Jamie Strandboge (jdstrand) wrote :

FYI, I detailed some of what this might look like here: (where we allow snaps to create abstract sockets at @snap.SNAP_NAME.**). This concept could be extended in a similar fashion as the dbus interface, where it might be called 'socket' with a declared name that requires a snap declaration to use the name (that interface I would think would support both abstract and named sockets).

Changed in snapd:
status: Incomplete → Triaged
Tim McNamara (tim-clicks) wrote :

Adding Juju as an affected project as this bug affects our ability to use strict confinement for our snaps.

Changed in juju:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers