Snappy

apparmor policy forbids using /tmp

Bug #1400320 reported by Martin Pitt on 2014-12-08
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
Medium
Michael Vogt
apparmor-easyprof-ubuntu-snappy (Ubuntu)
Fix Released
High
Jamie Strandboge
click-bin-path (Ubuntu)
Fix Released
High
Michael Vogt
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

A lot Ubuntu packages as well as many non-ubuntu upstream prjects assume that they can access /tmp/. This currently fails:

mktemp: failed to create file via template ‘/tmp/setup.sh.XXXXXXXXXX’: Permission denied

[ 3664.391441] audit: type=1400 audit(1418045400.880:25): apparmor="DENIED" operation="mknod" profile="ros-tutorial_rossnap_0.1" name="/tmp/setup.sh.EoM5hlXmUO" pid=1399 comm="mktemp" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

See original description
Martin Pitt (pitti) wrote :

Alternatively, the generated snappy-bin/ wrapper needs to uncomment the TMPDIR and make sure that the directory actually exists.

Martin Pitt (pitti) wrote :

Turns out ROS isn't respecting $TMPDIR (nor $TEMPDIR), so that wouldn't even help. I think a more robust alternative would be to mount a private /tmp into an app's mout namespace?

Michael Vogt (mvo) wrote :

This will be part of the new ubuntu-snap-launcher.

Alexander Sack (asac) wrote :

clearly a problem for our sourceries story; marking as devel and security XP; however, I beleive we should give apps their own confinded tmp space; lets check our FHS story and see what is missing or if there is just magic making apps find the right place...

Changed in snappy-ubuntu:
importance: Undecided → High
status: New → Confirmed
tags: added: snappy-xp-devel snappy-xp-security
description: updated
Martin Pitt (pitti) on 2014-12-14
information type: Embargoed → Public
Alexander Sack (asac) on 2014-12-14
information type: Public → Private
Alexander Sack (asac) on 2015-01-15
Changed in snappy-ubuntu:
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Allowing access to /tmp/** breaks application isolation which is why we don't allow it now. We agreed in Cape Town that the temp dir handling will be done by the launcher.

In the short term, that should be done by having the current launcher script set TMPDIR and make sure it exists. When the actual launcher is in place, the plan is to setup an overlayfs on /tmp, however the viability of using overlayfs in this capacity is still in question (investigations are still happening as of today), so an alternative may need to be put in place.

If neither of the above is feasible for ROS in the shortest of terms, we can *temporarily* relax our policy until we have the full story in place.

Martin Pitt (pitti) wrote :

Unfortunately $TMPDIR nor $TEMPDIR don't work for ROS. The README.md has a workaround how to locally allow this in the apparmor policy.

Alexander Sack (asac) wrote :

We should extend our FHS spec to include a TMP dir tjhat we set properly?

we can either add a SNAPP_TMPDIR and then apps can make their own wrapper or we just set TMPDIR directly also for those that honour that practice.

I would suggest that if noone else thinks different we just do /tmp/snapps/app/version/ ... and ensure that this is set.

Alexander Sack (asac) wrote :

I would say what I say is in line with current spirit. later overlayfs will sovlve these things, but for now, lets do that. jdstrand/mvo, who needs to do what task?

Alexander Sack (asac) wrote :

ok lets spec it in the way above:

+ [mvo] add app tmp dir to FHS spec: /tmp/snapps/app/version/
+ [mvo] snappy will create that dir if not exist
+ [jdstrand] apparmor default policy will allow the binaries access to their own tmp dir
+ [mvo] snappy will set SNAPP_TMPDIR, TMPDIR and TEMPDIR to that directory for max convenience.

Alexander Sack (asac) wrote :

also:
 + [pitti] to fix stuff so it honours that.

Jamie Strandboge (jdstrand) on 2015-01-15
Changed in apparmor-easyprof-ubuntu-snappy (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snappy-ubuntu:
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in click-bin-path (Ubuntu):
importance: Undecided → High
assignee: nobody → Michael Vogt (mvo)
Jamie Strandboge (jdstrand) on 2015-01-15
Changed in snappy-ubuntu:
assignee: nobody → Michael Vogt (mvo)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu-snappy - 1.3.6

---------------
apparmor-easyprof-ubuntu-snappy (1.3.6) vivid; urgency=medium

  * ubuntu-snappy/default (LP: #1400320): add access to app-specific temporary
    temp dir (/tmp/snapps/@{APP_PKGNAME}/@{APP_VERSION})
 -- Jamie Strandboge <email address hidden> Thu, 15 Jan 2015 15:49:14 -0600

Changed in apparmor-easyprof-ubuntu-snappy (Ubuntu):
status: In Progress → Fix Released
Michael Vogt (mvo) on 2015-01-16
Changed in click-bin-path (Ubuntu):
status: New → Fix Released
Martin Pitt (pitti) wrote :

> + [pitti] to fix stuff so it honours that.

Wrt. the ROS tutorial: I filed the problem and solution upstream: https://github.com/ros/catkin/issues/710
I applied the fix in the snap build script: https://bazaar.launchpad.net/~snappy-dev/snappy-hub/ros-tutorials/revision/10

Changed in snappy-ubuntu:
importance: High → Medium
Michael Vogt (mvo) on 2015-01-20
Changed in snappy-ubuntu:
status: Confirmed → Fix Released
Michael Terry (mterry) on 2015-05-18
affects: snappy-ubuntu → snappy
Jamie Strandboge (jdstrand) on 2015-05-22
information type: Private → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers