snaps with classic + jailmode confinement started to fail on zesty
Bug #1666897 reported by
Zygmunt Krynicki
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
High
|
Zygmunt Krynicki | ||
linux (Ubuntu) |
Confirmed
|
High
|
Andy Whitcroft | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We just noticed that zesty stated to fail when a snap using classic confinement is installed in jailmode.
$ snap install --jailmode --classic python0
$ python0 (doesn't work)
/snap/python0/
And in the system log you can see:
[ 2929.841318] audit: type=1400 audit(148777057
Changed in snapd: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in snapd: | |
assignee: | nobody → Zygmunt Krynicki (zyga) |
Changed in snapd: | |
status: | Confirmed → Fix Committed |
affects: | linux-meta (Ubuntu) → linux (Ubuntu) |
To post a comment you must log in.
This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
$ cat /proc/version_ signature
Ubuntu 4.4.0-62.83-generic 4.4.40
$ sudo snap install --jailmode --classic python0
python0 0.9.1 from 'zygoon' installed
$ python0
>>> ctrl-D # it worked
Now install the zesty kernel and reboot:
$ cat /proc/version_ signature
Ubuntu 4.10.0-8.10-generic 4.10.0-rc8
$ python0 2/usr/bin/ python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object
/snap/python0/
with this denial: "file_mmap" profile= "snap.python0. python0" name="/ snap/core/ x1/lib/ x86_64- linux-gnu/ libm-2. 23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
apparmor="DENIED" operation=
While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.
Looking at the policy, we see this:
# Read-only access to the core snap. DIR}/core/ ** r,
@{INSTALL_
If we add this rule to classicJailmode Snippet in interfaces/ apparmor/ template. go it works:
@{INSTALL_ DIR}/core/ */{,usr/ }lib/@{ multiarch} /{,**/} lib*.so* m,
This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?