snapd

Apparmor denies bind to abstract unix sockets such as @/var/lib/juju/mutex-/store-lock

Bug #1604967 reported by Nicholas Skaggs on 2016-07-20

16

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Confirmed	Low	Unassigned
	snapd	Fix Released	High	Jamie Strandboge

Bug Description

After snapping up the juju client, attempting to perform a bootstrap gives me:

Log: apparmor="DENIED" operation="bind" profile="snap.juju.juju" pid=11972 comm="juju" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/var/lib/juju/mutex-/store-lock"

Tags:

Nicholas Skaggs (nskaggs) on 2016-07-20

tags:

added: snapd-interface

Jamie Strandboge (jdstrand) on 2016-07-20

summary:	- Apparmor denies bind to /var/lib/juju/mutex-/store-lock + Apparmor denies bind to abstract unix sockets such as + @/var/lib/juju/mutex-/store-lock
Changed in snappy:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Jamie Strandboge (jdstrand)

Adam Stokes (adam-stokes) on 2016-08-10

tags:

added: conjure

Revision history for this message

Nicholas Skaggs (nskaggs) wrote on 2016-10-21:

#1

Jamie, what's the status on this?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-10-25:

#2

@Nicholas, planned but not implemented yet. It was deprioritized to make room for various GA work but is starting to bubble up to the top of the queue again.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-08-03:

#3

Is this still an issue for the juju snap?

Changed in snappy:
status:	Triaged → Incomplete
affects:	snappy → snapd

Revision history for this message

Adam Stokes (adam-stokes) wrote on 2017-08-03:

#4

Yes this is still an issue with juju confined snaps

Zygmunt Krynicki (zyga) on 2017-08-18

Changed in snapd:
status:	Incomplete → Triaged

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2018-05-07:

#5

Is this an issue with apparmor proper or with snapd's use of apparmor for interfaces and confinement in general? Do we need to add a rule to one of the existing interfaces? Is this a new interface for juju specifically?

Changed in snapd:
status:	Triaged → Incomplete

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2018-09-26:

#6

FYI, I detailed some of what this might look like here: https://forum.snapcraft.io/t/how-to-use-dbus-run-session-on-ubuntu-core/7077/2 (where we allow snaps to create abstract sockets at @snap.SNAP_NAME.**). This concept could be extended in a similar fashion as the dbus interface, where it might be called 'socket' with a declared name that requires a snap declaration to use the name (that interface I would think would support both abstract and named sockets).

Changed in snapd:
status:	Incomplete → Triaged

Revision history for this message

Tim McNamara (tim-clicks) wrote on 2019-07-31:

#7

Adding Juju as an affected project as this bug affects our ability to use strict confinement for our snaps.

Changed in juju:
status:	New → Confirmed

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2020-03-17:

#8

Jamie's post https://forum.snapcraft.io/t/how-to-use-dbus-run-session-on-ubuntu-core/7077/2 seems to indicate that this was fixed in 2.36

I'm marking it as fixed released. Please reopen if there is something specific that is also needed.

Changed in snapd:
status:	Triaged → Fix Released

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

#9

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

Changed in juju:
importance:	Undecided → Low
tags:	added: expirebugs-bot

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.