cannot use content interface with a snap in 'classic' confinement

Bug #1655369 reported by Florian Boucault
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical System Image
Confirmed
Medium
Pat McGowan
Ubuntu Terminal App
Invalid
Undecided
Unassigned
snapd
Triaged
Medium
Unassigned

Bug Description

If a snap uses 'classic' confinement, adding 'platform' to the plugs makes the snap non installable.

When installing the following apparmor related error is displayed:

http://pastebin.ubuntu.com/23776549/

Tags: personal
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you provide a snap/snapcraft.yaml that displays the problem?

Changed in snapd (Ubuntu):
status: New → Incomplete
Revision history for this message
Adam Stokes (adam-stokes) wrote :

Seeing the same issue, this is the branch im working from:

https://github.com/conjure-up/conjure-up/tree/snapcraft-updates/snapcraft

It could be I'm just doing something wrong so any advice is much appreciated

Changed in snapd (Ubuntu):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adam, you are using 'confinement: classic' and therefore have no need for 'plugs'. If you remove your plugs lines, I believe your snap will work. You should only use 'plugs' with 'confinement: devmode' and 'confinement:strict'. (I'll add a check to the review tools to help with this)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Florian, the comment to Adam applies to you also, sort of. In general you do not want to use 'plugs' with a 'confinement: classic' snap, but I can see a case of using the 'content' interface with classic in certain situations. For this, the classic apparmor e'x'ec policy needs to make room for the content e'x'ec policy.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looking at this more, I think there is enough information to fix this issue, but Florian, please provide a reproducer.

Changed in snapd (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
summary: - cannot use the platform plug with a snap in 'classic' confinement
+ cannot use content interface with a snap in 'classic' confinement
affects: snapd (Ubuntu) → snappy
Changed in snappy:
assignee: Jamie Strandboge (jdstrand) → nobody
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I think the key thing to notice is that when "confinement: classic" is used we don't process any content interface rules. There is no sharing (no mounting) happening as that would bleed into the host and thus to all the snaps as well (since they share /snap from the host).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Zygmunt, based on this, it sounds like snapd should refuse any interface connections when using classic and it should be documented that if when using 'confinement: classic', you may not use plugs or slots. snapcraft and the review tools can error in this case.

Changed in canonical-devices-system-image:
assignee: nobody → Pat McGowan (pat-mcgowan)
importance: Undecided → Medium
milestone: none → p2
status: New → Confirmed
tags: added: personal
Changed in ubuntu-terminal-app:
status: New → Invalid
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

This doesn't seem to be the case anymore, at least when using classic with plugs in order to reuse content...

Maybe this should be addressed now though: https://forum.snapcraft.io/t/enable-content-interface-type-between-classic-confinement-snaps/3780/3

Changed in snappy:
assignee: Jamie Strandboge (jdstrand) → nobody
Michael Vogt (mvo)
affects: snappy → snapd
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.