group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1606277] Re: log-observe interface is broken in latest snap-confine

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Andy Whitcroft <apw@xxxxxxxxxxxxx>
Date: Tue, 04 Oct 2016 10:15:47 -0000
Reply-to: Bug 1606277 <1606277@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Hello Jamie, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/snap-
confine/1.0.42-0ubuntu3~16.04.1 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: snap-confine (Ubuntu Xenial)
       Status: Fix Released => In Progress

** Changed in: snap-confine (Ubuntu Xenial)
       Status: In Progress => Fix Committed

** Tags removed: verification-done

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1606277

Title:
  log-observe interface is broken in latest snap-confine

Status in Snappy Launcher:
  Fix Released
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  Fix Committed
Status in snap-confine source package in Yakkety:
  Fix Released

Bug description:
  [Impact]

  The snapd interface "log-observe" is broken due to how we handle bind
  mounts.

  This bug is fixed by adding /var/log to a list of directories that are
  bind mounted and thus visible to snaps in their execution environment.

  For more information about the execution environment, please see this
  article http://www.zygoon.pl/2016/08/snap-execution-environment.html

  [Test Case]

  The test case can be found here:

  https://github.com/snapcore/snap-confine/blob/master/spread-
  tests/regression/lp-1606277/task.yaml

  The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
  The commands there assume that snapd and snap-confine are installed.
  No other additional setup is necessary.

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  directory to a list of directories that needs to be bind mounted.

  * The fix was tested on Ubuntu via spread and on several other
  distributions successfully.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  The log-observe interface is broken due to how we handle bind mounts
  now. This can be seen with 'snappy-debug':

  $ sudo snap install snappy-debug
  $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
  $ sudo /snap/bin/snappy-debug.security scanlog
  kernel.printk_ratelimit = 0
  Traceback (most recent call last):
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
      sys.exit(main())
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
      from_end=opt.only_new)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
      self.scan_log(log_file, snap_name, follow, from_end)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
      log = open_file_read(log_file)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
      orig = codecs.open(path, 'r', "UTF-8", errors="replace")
    File "/usr/lib/python3.5/codecs.py", line 895, in open
      file = builtins.open(filename, mode, buffering)
  FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'

  This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
  $ hello-world.sh
  ...
  bash-4.3$ ls /var/log/
  alternatives.log  btmp	 dpkg.log  fsck     watchdog
  bootstrap.log	  dmesg  faillog   lastlog  wtmp

  This may also be a problem with other interfaces, I haven't checked
  extensively, though it seems that /var/lib/extrausers (from the
  nameservice abstraction) won't work right, and (at least) ppp
  (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
  affected.

  WORKAROUND for snappy-debug: launch outside of the launcher:
  $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions