Ubuntu
snap-confine package

add support for bidirectional mount event propagation in /media

  1. Yakkety (16.10)
  2. Bug #1633273
Bug #1633273 reported by Zygmunt Krynicki
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snap-confine
Fix Released
Critical
Zygmunt Krynicki
snap-confine 1.0.44
snap-confine (Ubuntu)
New
Undecided
Unassigned
Xenial
Fix Committed
Undecided
Unassigned
Yakkety
Fix Committed
Undecided
Unassigned

Bug Description

[Impact]

The /media directory is special in that mount events propagate outward from the mount namespace used by snap applications into the main mount
namespace.

[Test Case]

The test case can be found here:

https://github.com/snapcore/snap-confine/blob/master/spread-tests/main/media-sharing/task.yaml

The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.

[Regression Potential]

This change involved relatively complex changes in the core logic of snap-confine and while extensive testing was performed since in both core and classic environments there's always possibility of some edge case.

For inspecting the layout of the mount namespace with this feature enabled please look at

https://github.com/snapcore/snap-confine/tree/master/spread-tests/main/mount-ns-layout

[Other Info]

* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates

== # Pre-SRU bug description follows # ==

Snaps such as udisks can mount anything in /media. While this works the mount is only visible to the snap that performed the operation (as it is stuck in the mount namespace).

The mount namespace should be setup up in a way that makes /media shared with the outside namespace.

See original description
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This has been fixed with the following pull request https://github.com/snapcore/snap-confine/pull/168

Changed in snap-confine:
status: New → Fix Committed
importance: Undecided → Critical
assignee: nobody → Zygmunt Krynicki (zyga)
milestone: none → 1.0.44
Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: Fix Committed → Fix Released
Zygmunt Krynicki (zyga)
description: updated
Zygmunt Krynicki (zyga)
description: updated
Zygmunt Krynicki (zyga)
tags: added: verification-needed
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Zygmunt, or anyone else affected,

Accepted snap-confine into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.44-0ubuntu1~16.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snap-confine (Ubuntu Yakkety):
status: New → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Zygmunt, or anyone else affected,

Accepted snapcraft into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapcraft/1.0.44-0ubuntu1~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snap-confine (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Zygmunt, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.44-0ubuntu1~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Federico Gimenez (fgimenez) wrote :

Verified executing manually the steps in the automated test https://github.com/snapcore/snap-confine/blob/master/spread-tests/main/media-sharing/task.yaml

tags: added: verification-done
removed: verification-needed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.