confined snaps don't work on live images due to apparmor path mapping

Bug #1729867 reported by Steve Langasek on 2017-11-03
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
High
Jamie Strandboge
Bionic
High
Jamie Strandboge

Bug Description

Ubuntu MATE 17.10 images include pulsemixer as a snap preinstalled. This snap doesn't work as part of the live system, because it's a confined snap, which means apparmor mediation is in effect.

The apparmor profiles end up blocking everything, because the livefs uses an overlay filesystem (possibly currently aufs instead of overlayfs, this bears checking - but we can assume this should be overlayfs going forward), and from the kernel's perspective, none of the paths that the process is trying to access match the ones in the apparmor profile because the "real" paths on the filesystem are all /rofs/[...] instead of /[...].

As snaps become increasingly integrated in Ubuntu, we will need them working in live sessions also. Talking with jdstrand, there are two possible options here:
 - do work in snapd / apparmor to detect overlay and handle the mapping of paths in the apparmor profile
 - have snapd detect overlay and disable apparmor confinement for these snaps.

I think this needs to be resolved for 18.04.

The issue does not affect classic confined snaps on live environments, due to the lack of apparmor profile being applied. (I.e. subiquity works fine as a snap)

Steve Langasek (vorlon) on 2017-11-03
tags: added: snaps-in-main
Changed in snapd (Ubuntu):
importance: Undecided → High
Changed in snapd (Ubuntu Bionic):
status: New → Confirmed
Changed in snapd (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Changed in snapd (Ubuntu Bionic):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

The fix for this is merged in snapd master and the upcoming 2.32. This will be fixed with snapd 2.32.

Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1729867

tags: added: iso-testing
Changed in snapd (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers