group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #07020
[Bug 1615113] Re: snap-confine prevented from mounting base directory through the "content" interface
** Changed in: snap-confine
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1615113
Title:
snap-confine prevented from mounting base directory through the
"content" interface
Status in Snappy Launcher:
Fix Released
Status in snap-confine package in Ubuntu:
Confirmed
Status in snap-confine source package in Xenial:
Confirmed
Bug description:
Using the new "content" interface, and following the integration tests
as an example, I have build two snaps in https://github.com/ubuntu
/snappy-playpen/tree/geany one under "geany" the other under "geany-
plugins" that work together to share the plugin code with the geany
app.
Both build, install, and connect just fine, but on trying to run
/snap/bin/geany it immediately fails with the following message:
cannot mount /snap/geany-plugins/x1 at /snap/geany/x1/plugins with
options bind,ro. errmsg: Permission denied
Checking dmesg after this shows the following:
[335489.022097] audit: type=1400 audit(1471624994.323:302441):
apparmor="DENIED" operation="mount" info="failed srcname match"
error=-13 profile="/usr/lib/snapd/snap-confine"
name="/snap/geany/x1/plugins/" pid=18454 comm="ubuntu-core-lau"
srcname="/snap/geany-plugins/x1/" flags="rw, bind"
I belive this is due to the fact that my geany-plugins slot is sharing
the root of it's content (/) instead of a file or folder by name. This
makes the mount source /snap/geany-plugins/x1/ which is too short to
match the apparmor allow line of /snap/*/*/**
To test this, I made the following change to /etc/apparmor.d/usr.lib.snapd.snap-confine
120,121c120,121
< mount options=(rw bind) /snap/*/*/** -> /snap/*/*/**,
< mount options=(ro bind) /snap/*/*/** -> /snap/*/*/**,
---
> mount options=(rw bind) /snap/*/** -> /snap/*/*/**,
> mount options=(ro bind) /snap/*/** -> /snap/*/*/**,
This allowed the mount to happen and the application to run.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1615113/+subscriptions