confined snaps don't work on live images due to apparmor path mapping
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Bionic |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
Ubuntu MATE 17.10 images include pulsemixer as a snap preinstalled. This snap doesn't work as part of the live system, because it's a confined snap, which means apparmor mediation is in effect.
The apparmor profiles end up blocking everything, because the livefs uses an overlay filesystem (possibly currently aufs instead of overlayfs, this bears checking - but we can assume this should be overlayfs going forward), and from the kernel's perspective, none of the paths that the process is trying to access match the ones in the apparmor profile because the "real" paths on the filesystem are all /rofs/[...] instead of /[...].
As snaps become increasingly integrated in Ubuntu, we will need them working in live sessions also. Talking with jdstrand, there are two possible options here:
- do work in snapd / apparmor to detect overlay and handle the mapping of paths in the apparmor profile
- have snapd detect overlay and disable apparmor confinement for these snaps.
I think this needs to be resolved for 18.04.
The issue does not affect classic confined snaps on live environments, due to the lack of apparmor profile being applied. (I.e. subiquity works fine as a snap)
tags: | added: snaps-in-main |
Changed in snapd (Ubuntu): | |
importance: | Undecided → High |
Changed in snapd (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in snapd (Ubuntu Bionic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Confirmed → In Progress |
Changed in snapd (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in snapd (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
https:/ /forum. snapcraft. io/t/confined- snaps-dont- work-on- live-images- due-to- apparmor- path-mapping/ 3767/5