group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1621624] Re: /dev/pts/# denial when running snap-confine under sshd configured for pam-apparmor

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Michael Hudson-Doyle <michael.hudson+lp@xxxxxxxxxxxxx>
Date: Wed, 21 Sep 2016 00:54:40 -0000
Reply-to: Bug 1621624 <1621624@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: snap-confine (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: snap-confine (Ubuntu)
       Status: New => Fix Released

** Also affects: snap-confine (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1621624

Title:
  /dev/pts/# denial when running snap-confine under sshd configured for
  pam-apparmor

Status in Snappy Launcher:
  Fix Released
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  New

Bug description:
  [Impact]

  When snap-confine itself is invoked over an SSH connection, with ssh
  using non-standard Apparmor confinement, snap-confine would fail.

  This change was introduced by a member of the security team who is
  using this non-standard configuration.

  [Test Case]

  TBD

  [Regression Potential]

  * Minimal, snap-confine has a more permissive apparmor profile that
  allows it to access /dev/pts/[0-9]* for both reading and writing.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  Logging into an Ubuntu 16.04 machine that has a confined sshd and
  running 'hello-world', I see this denial:

  kernel: [180734.692698] audit: type=1400 audit(1473365455.056:98):
  apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd
  /snap-confine" name="/dev/pts/2" pid=28375 comm="ubuntu-core-lau"
  requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

  What is happening is that the fd is being remediated since it is not
  coming from an unconfined process. Fix is:

      /dev/pts/[0-9]* rw,

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1621624/+subscriptions