/run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up

Bug #1881590 reported by Dmitrii Shcherbakov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Committed
Zygmunt Krynicki

Bug Description

snapd revision: 05617fa2c59bf3dff9d25387fa671b7d01082b0a

I am trying to apply strict confinement to an application that uses lock files under /var/lock but the profile does not include a per-snap directory under /var/lock:

grep /run/snap /var/lib/snapd/apparmor/profiles/snap.microstack.libvirtd
  /run/snapd-snap.socket rw,
  /run/snap.@{SNAP_INSTANCE_NAME}/ rw,
  /run/snap.@{SNAP_INSTANCE_NAME}/** mrwklix,

mount | grep /run/lock
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)

Bind-mounting via layouts is not an option for "/run/lock" since it is blocked by the respective code that makes sure that layouts do not include the "/run" prefix.


Libvirt uses lock files in order to work with VM consoles:

virsh console instance-00000004
Connected to domain instance-00000004
Escape character is ^]
error: Couldn't create lock file for device '/dev/pts/0' in path '/var/lock/LCK.._pts_0': Permission denied

https://github.com/libvirt/libvirt/blob/e9d51a221c1871da246ae8dbc5b5f71191f48be2/m4/virt-chrdev-lock-files.m4#L32-L33 (the prefix for lock files defaults to /var/lock)
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s09.html (FHS reference for /var/lock)

summary: - /run/lock/snap.@{SNAP_INSTANCE_NAME}/ is not set up
+ /run/lock/snap.@{SNAP_INSTANCE_NAME}/ AppArmor rule is not set up
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I had a look at the apparmor template and confirmed that no such rules are present. As long as the snap prefix is included I don't see a reason why we would not grant this access.

Changed in snapd:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I've sent a pull request for this https://github.com/snapcore/snapd/pull/8909

Changed in snapd:
assignee: nobody → Zygmunt Krynicki (zyga)
status: Confirmed → In Progress
Zygmunt Krynicki (zyga)
Changed in snapd:
milestone: none → 2.46
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.