Thanks Jamie! I looked into this from the snapd side and I think we should do the following:
a) wait with the release of the *snap* until snapd 2.41 is released (scheduled Sep 9, we can try to release sooner if its criticial) b) add the following to the kernel snapcraft.yaml: "assumes: [snapd2.41]" The addition in (b) will mean that snapd will not refresh the kernel unless snapd 2.41 is available which is generate the right apparmor profiles. The UX of this is not super great right now, i.e. when doing: "snap refresh pc-kernel" with an older snapd the kernel will be downloaded but it will error and not install the kernel. The error message is sensible though. The background auto-refresh will behave in the same way. However this should be ok as long as we make sure the kernel is released after snapd 2.41 is available. Then pretty much everyone will get the auto-refreshed core first. And even if things happen out-of-order snapd will only install the kernel when snapd 2.41 is running. Of course it would be even nicer if the store would understand "assumes: [snapd2.41]" and only offer the refresh to devices that have snapd 2.41. We do send the snapd version to the store when we do a refresh so in theory all the piece are in place AFAICT. Then we could error early instead of having to download the snap first. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1658219 Title: flock not mediated by 'k' Status in AppArmor: In Progress Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Triaged Status in linux source package in Yakkety: Won't Fix Bug description: $ cat ./apparmor.profile #include <tunables/global> profile test { #include <abstractions/base> /bin/bash ixr, /dev/pts/* rw, /usr/bin/flock ixr, # Not blocked: # aa-exec -p test -- flock -w 1 /tmp/test.lock -c true /tmp/test.lock rw, } $ sudo apparmor_parser -r ./apparmor.profile $ aa-exec -p test -- flock -w 1 /tmp/test.lock -c true && echo yes yes $ ls -l /tmp/test.lock -rw-rw-r-- 1 jamie jamie 0 Jan 20 15:57 /tmp/test.lock The flock command uses flock(LOCK_EX) and I expected it to be blocked due to the lack of 'k'. apparmor userspace 2.10.95-0ubuntu2.5 (xenial) and 4.9.0-12.13-generic kernel on amd64. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658219/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
