2017-01-17 12:10:07 |
Zygmunt Krynicki |
description |
On Fedora snap-confine is using Linux capabilities and doesn't run as root. This apparently prevents it from performing one specific mount operation, the one that captures the mount namespace of a running process and preserves it in a file. The particular operation is similar to mount --bind /proc/$PID/ns/mnt /run/ns/snapd/$SNAP_NAME.mnt.
It would be good to inspect the kernel and see if that specific operation is covered by the appropriate capability or if we really need to run as regular root to do this. |
On Fedora snap-confine is using Linux capabilities and doesn't run as root. This apparently prevents it from performing one specific mount operation, the one that captures the mount namespace of a running process and preserves it in a file. The particular operation is similar to mount --bind /proc/$PID/ns/mnt /run/ns/snapd/$SNAP_NAME.mnt.
It would be good to inspect the kernel and see if that specific operation is covered by the appropriate capability or if we really need to run as regular root to do this.
This bug is a clone of the following github issue: https://github.com/snapcore/snapd/issues/2569 |
|