group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1606277] Re: log-observe interface is broken in latest snap-confine

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1606277@xxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Oct 2016 20:20:51 -0000
Reply-to: Bug 1606277 <1606277@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1

---------------
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * Backport from 16.10 (LP: #1630040)

snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
    LXD containers (LP: #1630789)

snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium

  * allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
    symlink

snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium

  * add mmap to AppArmor policy for snap-confine for running snap-confine
    under LXD on 4.8 kernels

snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium

  * New upstream release
  * Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)

snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium

  * add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
    kernels older than 3.19 (LP: #1625565)

snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.41
  * Drop all patches (included upstream).
  * Add version to apparmor run-time dependency.

snap-confine (1.0.40-1) unstable; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.40
  * Drop apparmor profile from the debian/ directory and install it straight
    from upstream package. This is now automatically consistent with package
    configuration prefix.
  * Drop patch: prctl-compatibility.patch(applied upstream)
  * Add directory /var/lib/snapd/void to snap-confine
  * Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
    fixes make check due to a mistake upstream.
  * Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)

snap-confine (1.0.39-1) unstable; urgency=medium

  * New upstream release.
  * Remove d/patches/01_lp1606277.patch, applied upstream.

snap-confine (1.0.38-3) unstable; urgency=medium

  * debian/patches/prctl-compatibility.patch: add shadow definitions for
    compatibility with older kernel headers.
  * drop build-dependency on shellcheck, which is not used at build time
    and doesn't exist in trusty.
  * make ubuntu-core-launcher "arch:any" to workaround an issue in
    rm_conffile which does not deal with changing architectures
  * fix log-observer interface regression (LP: #1606277)

snap-confine (1.0.38-2) unstable; urgency=medium

  * Fix invocations of rm_conffile.
  * Update d/usr.lib.snapd.snap-confine to the latest upstream version to
    ensure content-sharing fully works.

snap-confine (1.0.38-1) unstable; urgency=medium

  * New upstream release.

 -- Jamie Strandboge <jamie@xxxxxxxxxx>  Thu, 06 Oct 2016 14:51:26 +0000

** Changed in: snap-confine (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1606277

Title:
  log-observe interface is broken in latest snap-confine

Status in Snappy Launcher:
  Fix Released
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  Fix Released
Status in snap-confine source package in Yakkety:
  Fix Released

Bug description:
  [Impact]

  The snapd interface "log-observe" is broken due to how we handle bind
  mounts.

  This bug is fixed by adding /var/log to a list of directories that are
  bind mounted and thus visible to snaps in their execution environment.

  For more information about the execution environment, please see this
  article http://www.zygoon.pl/2016/08/snap-execution-environment.html

  [Test Case]

  The test case can be found here:

  https://github.com/snapcore/snap-confine/blob/master/spread-
  tests/regression/lp-1606277/task.yaml

  The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
  The commands there assume that snapd and snap-confine are installed.
  No other additional setup is necessary.

  [Regression Potential]

   * Regression potential is minimal as the fix simply adds another
  directory to a list of directories that needs to be bind mounted.

  * The fix was tested on Ubuntu via spread and on several other
  distributions successfully.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * This bug was included in an earlier SRU and is now fixed in Ubuntu.
  I am updating the template here to ensure that the process is fully
  documented from 1.0.38 all the way up to the current upstream release
  1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  The log-observe interface is broken due to how we handle bind mounts
  now. This can be seen with 'snappy-debug':

  $ sudo snap install snappy-debug
  $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
  $ sudo /snap/bin/snappy-debug.security scanlog
  kernel.printk_ratelimit = 0
  Traceback (most recent call last):
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
      sys.exit(main())
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
      from_end=opt.only_new)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
      self.scan_log(log_file, snap_name, follow, from_end)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
      log = open_file_read(log_file)
    File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
      orig = codecs.open(path, 'r', "UTF-8", errors="replace")
    File "/usr/lib/python3.5/codecs.py", line 895, in open
      file = builtins.open(filename, mode, buffering)
  FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'

  This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
  $ hello-world.sh
  ...
  bash-4.3$ ls /var/log/
  alternatives.log  btmp	 dpkg.log  fsck     watchdog
  bootstrap.log	  dmesg  faillog   lastlog  wtmp

  This may also be a problem with other interfaces, I haven't checked
  extensively, though it seems that /var/lib/extrausers (from the
  nameservice abstraction) won't work right, and (at least) ppp
  (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
  affected.

  WORKAROUND for snappy-debug: launch outside of the launcher:
  $ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1606277/+subscriptions