| 2016-07-25 15:10:26 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2016-07-25 15:11:20 |
Jamie Strandboge |
tags |
|
snapd-interface |
|
| 2016-07-25 15:15:32 |
Jamie Strandboge |
description |
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected. |
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog |
|
| 2016-07-25 15:21:39 |
Zygmunt Krynicki |
bug task added |
|
snap-confine |
|
| 2016-07-25 15:21:47 |
Zygmunt Krynicki |
snap-confine: status |
New |
In Progress |
|
| 2016-07-25 15:21:49 |
Zygmunt Krynicki |
snap-confine: importance |
Undecided |
Critical |
|
| 2016-07-25 15:21:53 |
Zygmunt Krynicki |
snap-confine: assignee |
|
Zygmunt Krynicki (zyga) |
|
| 2016-07-25 15:21:56 |
Zygmunt Krynicki |
snap-confine: milestone |
|
1.0.39 |
|
| 2016-07-27 11:54:29 |
Zygmunt Krynicki |
snap-confine: status |
In Progress |
Fix Released |
|
| 2016-07-27 12:21:15 |
Michael Vogt |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-07-27 12:21:15 |
Michael Vogt |
bug task added |
|
snap-confine (Ubuntu Xenial) |
|
| 2016-07-27 12:33:37 |
Steve Langasek |
tags |
snapd-interface |
regression-proposed snapd-interface |
|
| 2016-07-27 12:34:08 |
Steve Langasek |
snap-confine (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2016-07-27 12:34:10 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-07-27 12:34:15 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2016-07-27 12:34:19 |
Steve Langasek |
tags |
regression-proposed snapd-interface |
regression-proposed snapd-interface verification-needed |
|
| 2016-07-27 16:15:54 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-07-27 16:15:54 |
Jamie Strandboge |
bug task added |
|
snap-confine (Ubuntu Yakkety) |
|
| 2016-07-27 16:17:02 |
Jamie Strandboge |
snap-confine (Ubuntu Yakkety): status |
New |
In Progress |
|
| 2016-07-27 20:14:21 |
Jamie Strandboge |
tags |
regression-proposed snapd-interface verification-needed |
regression-proposed snapd-interface verification-done |
|
| 2016-07-29 13:48:13 |
Stéphane Graber |
tags |
regression-proposed snapd-interface verification-done |
regression-proposed snapd-interface verification-failed |
|
| 2016-07-30 18:58:00 |
Launchpad Janitor |
snap-confine (Ubuntu Yakkety): status |
In Progress |
Fix Released |
|
| 2016-07-31 23:06:57 |
Mathew Hodson |
snap-confine (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2016-07-31 23:07:00 |
Mathew Hodson |
snap-confine (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
| 2016-08-02 08:09:32 |
Martin Pitt |
tags |
regression-proposed snapd-interface verification-failed |
snapd-interface verification-needed |
|
| 2016-08-02 18:45:10 |
Jamie Strandboge |
tags |
snapd-interface verification-needed |
snapd-interface verification-done |
|
| 2016-08-26 14:11:02 |
Jamie Strandboge |
snap-confine (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-09-20 08:34:29 |
Zygmunt Krynicki |
description |
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog |
[Impact]
The snapd interface "log-observe" is broken due to how we handle bind mounts.
This bug is fixed by adding /var/log to a list of directories that are bind mounted and thus visible to snaps in their execution environment.
For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-tests/regression/lp-1606277/task.yaml
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted.
* The fix was tested on Ubuntu via spread and on several other distributions successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure.
== # Pre-SRU bug description follows # ==
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog |
|
| 2016-09-20 08:35:22 |
Zygmunt Krynicki |
description |
[Impact]
The snapd interface "log-observe" is broken due to how we handle bind mounts.
This bug is fixed by adding /var/log to a list of directories that are bind mounted and thus visible to snaps in their execution environment.
For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-tests/regression/lp-1606277/task.yaml
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted.
* The fix was tested on Ubuntu via spread and on several other distributions successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure.
== # Pre-SRU bug description follows # ==
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog |
[Impact]
The snapd interface "log-observe" is broken due to how we handle bind mounts.
This bug is fixed by adding /var/log to a list of directories that are bind mounted and thus visible to snaps in their execution environment.
For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-tests/regression/lp-1606277/task.yaml
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted.
* The fix was tested on Ubuntu via spread and on several other distributions successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog |
|
| 2016-10-04 10:15:26 |
Andy Whitcroft |
snap-confine (Ubuntu Xenial): status |
Fix Released |
In Progress |
|
| 2016-10-04 10:15:40 |
Andy Whitcroft |
snap-confine (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-10-04 10:15:44 |
Andy Whitcroft |
tags |
snapd-interface verification-done |
snapd-interface |
|
| 2016-10-04 10:15:46 |
Andy Whitcroft |
tags |
snapd-interface |
snapd-interface verification-needed |
|
| 2016-10-10 15:23:40 |
Ara Pulido |
tags |
snapd-interface verification-needed |
snapd-interface verification-done |
|
| 2016-10-10 20:20:51 |
Launchpad Janitor |
snap-confine (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-10-10 20:21:19 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
