group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #08974
[Bug 1633367] Re: missing ptrace options needed by snap-confine
** Changed in: canonical-devices-system-image
Status: Fix Committed => Fix Released
** Changed in: snap-confine (Ubuntu)
Status: Fix Committed => Fix Released
** Changed in: snap-confine (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** Changed in: snap-confine (Ubuntu Yakkety)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1633367
Title:
missing ptrace options needed by snap-confine
Status in Canonical System Image:
Fix Released
Status in Snappy Launcher:
Fix Released
Status in snap-confine package in Ubuntu:
Fix Released
Status in snap-confine source package in Xenial:
Fix Released
Status in snap-confine source package in Yakkety:
Fix Released
Bug description:
[Impact]
When porting snappy to our reference device -- m10 (xenial, arm64,
kernel-3.10), execution of hello-world command from the hello-world
snap fails due to the lack of appropriate permission in apparmor. It
turns out ptrace is used between snap-confine and its mount helper,
and the corresponding trace/tracedby permissions are not granted.
Merge proposal https://github.com/snapcore/snap-confine/pull/170
addressed this issue.
[Test Case]
1. flash m10 with images from frieza_arm64 channel,
2. install snapd. You may need to setup networking, remount root filesystem as read-write first.
3. install hello-world snap
4. run `hello-world`
[Regression Potential]
This patch grants extra options carried to ptrace calls between snap-
confine and mount-namespace-capture-helper only. However, this grants
additional permission to ptrace options, so at least it means a
certain level of security risk. Considering mount-namespace-capture-
helper is actually snap-confine itself forked with apparmor change-hat
trick, the effect to other part of the system, and possible regression
should be pretty limited.
[Other Info]
* snap-confine is technically an integral part of snapd which has an
SRU exception and is allowed to introduce new features and take
advantage of accelerated procedure. For more information see
https://wiki.ubuntu.com/SnapdUpdates
== # Pre-SRU bug description follows # ==
[ 2526.693811] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:434): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=30640 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine"
[ 2526.693845] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:435): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=30640 comm="ubuntu-core-lau" requested_mask="readby" denied_mask="readby" peer="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
[ 3512.751438] (1)[8128:ubuntu-core-lau]type=1400 audit(1476431400.737:502): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=8128 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine"
So we need to modify /etc/apparmor.d/usr.lib.snapd.snap-confine as:
/usr/lib/snapd/snap-confine flags=(attach_disconnected) {
...
ptrace (read, readby, tracedby) ...
^mount-namespace-capture-helper flags=(attach_disconnected) {
...
ptrace (read, trace, tracedby) ...
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1633367/+subscriptions
