/run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Medium
|
Zygmunt Krynicki |
Bug Description
snapd revision: 05617fa2c59bf3d
I am trying to apply strict confinement to an application that uses lock files under /var/lock but the profile does not include a per-snap directory under /var/lock:
grep /run/snap /var/lib/
/run/
/run/
/run/
mount | grep /run/lock
tmpfs on /run/lock type tmpfs (rw,nosuid,
Bind-mounting via layouts is not an option for "/run/lock" since it is blocked by the respective code that makes sure that layouts do not include the "/run" prefix.
https:/
Use-case:
Libvirt uses lock files in order to work with VM consoles:
virsh console instance-00000004
Connected to domain instance-00000004
Escape character is ^]
error: Couldn't create lock file for device '/dev/pts/0' in path '/var/lock/
https:/
https:/
https:/
summary: |
- /run/lock/snap.@{SNAP_INSTANCE_NAME}/ is not set up + /run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up |
Changed in snapd: | |
milestone: | none → 2.46 |
status: | In Progress → Fix Committed |
Changed in snapd: | |
status: | Fix Committed → Fix Released |
I had a look at the apparmor template and confirmed that no such rules are present. As long as the snap prefix is included I don't see a reason why we would not grant this access.