/run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| snapd |
Fix Committed
|
Medium
|
Zygmunt Krynicki | ||
Bug Description
snapd revision: 05617fa2c59bf3d
I am trying to apply strict confinement to an application that uses lock files under /var/lock but the profile does not include a per-snap directory under /var/lock:
grep /run/snap /var/lib/
/run/
/run/
/run/
mount | grep /run/lock
tmpfs on /run/lock type tmpfs (rw,nosuid,
Bind-mounting via layouts is not an option for "/run/lock" since it is blocked by the respective code that makes sure that layouts do not include the "/run" prefix.
https:/
Use-case:
Libvirt uses lock files in order to work with VM consoles:
virsh console instance-00000004
Connected to domain instance-00000004
Escape character is ^]
error: Couldn't create lock file for device '/dev/pts/0' in path '/var/lock/
https:/
https:/
https:/
| summary: |
- /run/lock/snap.@{SNAP_INSTANCE_NAME}/ is not set up + /run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up |
| Zygmunt Krynicki (zyga) wrote | #1 |
| Changed in snapd: | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Zygmunt Krynicki (zyga) wrote | #2 |
| Changed in snapd: | |
| assignee: | nobody → Zygmunt Krynicki (zyga) |
| status: | Confirmed → In Progress |
| Changed in snapd: | |
| milestone: | none → 2.46 |
| status: | In Progress → Fix Committed |
I had a look at the apparmor template and confirmed that no such rules are present. As long as the snap prefix is included I don't see a reason why we would not grant this access.