launcher does not apply cgroups on 16.04

Bug #1564401 reported by Jamie Strandboge
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
High
Jamie Strandboge

Bug Description

On 16.04 the needle check in snappy_udev_setup_required() always fails because /var/lib/apparmor/clicks/%s.json.additional is (correctly) never created. Fix is to query udev for device assignment rather than using the needle check.

The review underwent security team review. There is minimal chance of regression because cgroup handling in the launcher is completely broken with snappy as in the archive. This makes it work again.

Related branches

Changed in ubuntu-core-launcher (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded 1.0.25 to xenial.

description: updated
Changed in ubuntu-core-launcher (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.25

---------------
ubuntu-core-launcher (1.0.25) xenial; urgency=medium

  * update cgroup handling for 16.04 (LP: #1564401):
    - debian/usr.bin.ubuntu-core-launcher:
      + allow creating cgroups with snap.*
      + allow ixr of 'tr'
      + remove access to /var/lib/apparmor/clicks/
    - update README to more fully explain the cgroups implementation
    - src/80-snappy-assign.rules: append an app-specific tag instead of
      adding a generic tag and snap-specific property
    - src/snappy-app-dev: convert the new tag to the directory name
    - src/main.c:
      + refactor and simplify control flow to query udev for device assignment
        instead of searching apparmor policy for a specific string
      + adjust udev query for app-specific tag
      + raise real_uid after fork() before calling /lib/udev/snappy-app-dev
        so non-root app launches work with the device cgroup

ubuntu-core-launcher (1.0.24) xenial; urgency=medium

  [ Michael Vogt ]
  * ignore non-existing dirs when doing the overlay mount
  * add /lib32, /libx32 to the overlay mounts

  [ Jamie Strandboge ]
  * add back the use of /usr from the ubuntu-core snap instead of the host
    system (LP: #1570581)
  * implement @complain as a synonym for @unrestricted since snappy will use
    @complain to toggle developer mode. This allows snaps to work in developer
    mode while seccomp logging is being developed (LP: #1570578)

 -- Jamie Strandboge <email address hidden> Thu, 14 Apr 2016 18:05:57 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers