This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:
$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial
$ cat /proc/version_signature Ubuntu 4.4.0-62.83-generic 4.4.40
$ sudo snap install --jailmode --classic python0 python0 0.9.1 from 'zygoon' installed
$ python0 >>> ctrl-D # it worked
Now install the zesty kernel and reboot:
$ cat /proc/version_signature Ubuntu 4.10.0-8.10-generic 4.10.0-rc8
$ python0 /snap/python0/2/usr/bin/python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object
with this denial: apparmor="DENIED" operation="file_mmap" profile="snap.python0.python0" name="/snap/core/x1/lib/x86_64-linux-gnu/libm-2.23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.
Looking at the policy, we see this:
# Read-only access to the core snap. @{INSTALL_DIR}/core/** r,
If we add this rule to classicJailmodeSnippet in interfaces/apparmor/template.go it works:
@{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m,
This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?
This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
$ cat /proc/version_ signature
Ubuntu 4.4.0-62.83-generic 4.4.40
$ sudo snap install --jailmode --classic python0
python0 0.9.1 from 'zygoon' installed
$ python0
>>> ctrl-D # it worked
Now install the zesty kernel and reboot:
$ cat /proc/version_ signature
Ubuntu 4.10.0-8.10-generic 4.10.0-rc8
$ python0 2/usr/bin/ python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object
/snap/python0/
with this denial: "file_mmap" profile= "snap.python0. python0" name="/ snap/core/ x1/lib/ x86_64- linux-gnu/ libm-2. 23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
apparmor="DENIED" operation=
While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.
Looking at the policy, we see this:
# Read-only access to the core snap. DIR}/core/ ** r,
@{INSTALL_
If we add this rule to classicJailmode Snippet in interfaces/ apparmor/ template. go it works:
@{INSTALL_ DIR}/core/ */{,usr/ }lib/@{ multiarch} /{,**/} lib*.so* m,
This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?