group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #08232
[Bug 1606277] Re: log-observe interface is broken in latest snap-confine
This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1
---------------
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium
* Backport from 16.10 (LP: #1630040)
snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium
* New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
* debian/patches/lp1630789.patch: allow running snaps by non-root users in
LXD containers (LP: #1630789)
snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium
* allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
symlink
snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium
* add mmap to AppArmor policy for snap-confine for running snap-confine
under LXD on 4.8 kernels
snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium
* New upstream release
* Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)
snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium
* add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
kernels older than 3.19 (LP: #1625565)
snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium
* New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.41
* Drop all patches (included upstream).
* Add version to apparmor run-time dependency.
snap-confine (1.0.40-1) unstable; urgency=medium
* New upstream release, full list of issues is available at
https://launchpad.net/snap-confine/+milestone/1.0.40
* Drop apparmor profile from the debian/ directory and install it straight
from upstream package. This is now automatically consistent with package
configuration prefix.
* Drop patch: prctl-compatibility.patch(applied upstream)
* Add directory /var/lib/snapd/void to snap-confine
* Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
fixes make check due to a mistake upstream.
* Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)
snap-confine (1.0.39-1) unstable; urgency=medium
* New upstream release.
* Remove d/patches/01_lp1606277.patch, applied upstream.
snap-confine (1.0.38-3) unstable; urgency=medium
* debian/patches/prctl-compatibility.patch: add shadow definitions for
compatibility with older kernel headers.
* drop build-dependency on shellcheck, which is not used at build time
and doesn't exist in trusty.
* make ubuntu-core-launcher "arch:any" to workaround an issue in
rm_conffile which does not deal with changing architectures
* fix log-observer interface regression (LP: #1606277)
snap-confine (1.0.38-2) unstable; urgency=medium
* Fix invocations of rm_conffile.
* Update d/usr.lib.snapd.snap-confine to the latest upstream version to
ensure content-sharing fully works.
snap-confine (1.0.38-1) unstable; urgency=medium
* New upstream release.
-- Jamie Strandboge <jamie@xxxxxxxxxx> Thu, 06 Oct 2016 14:51:26 +0000
** Changed in: snap-confine (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1606277
Title:
log-observe interface is broken in latest snap-confine
Status in Snappy Launcher:
Fix Released
Status in snap-confine package in Ubuntu:
Fix Released
Status in snap-confine source package in Xenial:
Fix Released
Status in snap-confine source package in Yakkety:
Fix Released
Bug description:
[Impact]
The snapd interface "log-observe" is broken due to how we handle bind
mounts.
This bug is fixed by adding /var/log to a list of directories that are
bind mounted and thus visible to snaps in their execution environment.
For more information about the execution environment, please see this
article http://www.zygoon.pl/2016/08/snap-execution-environment.html
[Test Case]
The test case can be found here:
https://github.com/snapcore/snap-confine/blob/master/spread-
tests/regression/lp-1606277/task.yaml
The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.
[Regression Potential]
* Regression potential is minimal as the fix simply adds another
directory to a list of directories that needs to be bind mounted.
* The fix was tested on Ubuntu via spread and on several other
distributions successfully.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu
16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu.
I am updating the template here to ensure that the process is fully
documented from 1.0.38 all the way up to the current upstream release
1.0.41.
* snap-confine is technically an integral part of snapd which has an
SRU exception and is allowed to introduce new features and take
advantage of accelerated procedure. For more information see
https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
The log-observe interface is broken due to how we handle bind mounts
now. This can be seen with 'snappy-debug':
$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
sys.exit(main())
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
from_end=opt.only_new)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
self.scan_log(log_file, snap_name, follow, from_end)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
log = open_file_read(log_file)
File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
orig = codecs.open(path, 'r', "UTF-8", errors="replace")
File "/usr/lib/python3.5/codecs.py", line 895, in open
file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp
This may also be a problem with other interfaces, I haven't checked
extensively, though it seems that /var/lib/extrausers (from the
nameservice abstraction) won't work right, and (at least) ppp
(/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
affected.
WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog
To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions