← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1615113] Re: snap-confine prevented from mounting base directory through the "content" interface

 

** Changed in: snap-confine
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1615113

Title:
  snap-confine prevented from mounting base directory through the
  "content" interface

Status in Snappy Launcher:
  Fix Released
Status in snap-confine package in Ubuntu:
  Confirmed
Status in snap-confine source package in Xenial:
  Confirmed

Bug description:
  Using the new "content" interface, and following the integration tests
  as an example, I have build two snaps in https://github.com/ubuntu
  /snappy-playpen/tree/geany one under "geany" the other under "geany-
  plugins" that work together to share the plugin code with the geany
  app.

  Both build, install, and connect just fine, but on trying to run
  /snap/bin/geany it immediately fails with the following message:

  cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with
  options bind,ro. errmsg: Permission denied

  Checking dmesg after this shows the following:

  [335489.022097] audit: type=1400 audit(1471624994.323:302441):
  apparmor="DENIED" operation="mount" info="failed srcname match"
  error=-13 profile="/usr/lib/snapd/snap-confine"
  name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau"
  srcname="/snap/geany-plugins/x1/" flags="rw, bind"

  I belive this is due to the fact that my geany-plugins slot is sharing
  the root of it's content (/) instead of a file or folder by name. This
  makes the mount source /snap/geany-plugins/x1/ which is too short to
  match the apparmor allow line of /snap/*/*/**

  To test this, I made the following change to /etc/apparmor.d/usr.lib.snapd.snap-confine
  120,121c120,121
  <     mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
  <     mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
  ---
  >     mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
  >     mount options=(ro bind) /snap/*/** -> /snap/*/*/**,

  This allowed the mount to happen and the application to run.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1615113/+subscriptions