** Description changed: + [Impact] + + The code that creates the $SNAP_USER_DATA directory in snap-confine is + prevented from running by the apparmor profile that confines snap- + confine itself when the home directory is encrypted and the user runs as + root, e.g. via sudo. + + This bug is fixed by lowering the restrictions placed on apparmor rules + that govern access to the encrypted home directory files. The relevant + rules no longer requires the process (running as root) to match the + owner of the files (typically the owner of the home directory) + + [Test Case] + + The test case can be found here: + + https://github.com/snapcore/snap-confine/blob/master/spread-tests/user- + data-dir-created/task.yaml + + This test case needs to be executed manually on a computer with + encrypted home directory. Spread does not currently run in such a + configuration so a manual check is worth while. + + [Regression Potential] + + * Regression potential is minimal as the fix simply makes two apparmor + rules less restrictive. The change was reviewed and approved by the + security team. + + [Other Info] + + * This bug is a part of a major SRU that brings snap-confine in Ubuntu + 16.04 in line with the current upstream release 1.0.41. + + * This bug was included in an earlier SRU and is now fixed in Ubuntu. I + am updating the template here to ensure that the process is fully + documented from 1.0.38 all the way up to the current upstream release + 1.0.41. + + * snap-confine is technically an integral part of snapd which has an SRU + exception and is allowed to introduce new features and take advantage of + accelerated procedure. For more information see + https://wiki.ubuntu.com/SnapdUpdates + + == # Pre-SRU bug description follows # == + Because of the two apparmor rules on snap-confine, attempts to create user data directory from snap-confine will fail when the user is using new-style encrypted home directory and sudo to start a snap. TEST CASE: 1. sudo adduser --encrypt-home test-encrypted 2. Ensure that the test-encrypted user can use sudo, e.g. add it to the sudo group 3. Log in as test-encrypted user 4. Install the hello-world snap 5. Run sudo /snap/bin/hello-world 6. Verify that `hello-world` fails to run 7. Install snap-confine from xenial-propsoed 8. verify that `hello-world` runs now The following patch makes the problem go away: diff --git a/debian/usr.bin.snap-confine b/debian/usr.bin.snap-confine index f3e6308..aeb17bd 100644 --- a/debian/usr.bin.snap-confine +++ b/debian/usr.bin.snap-confine @@ -155,6 +155,6 @@ owner @{HOME}/.Private/ r, owner @{HOME}/.Private/** mrixwlk, # new-style encrypted $HOME - owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, - owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, + @{HOMEDIRS}/.ecryptfs/*/.Private/ r, + @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, }
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1612291 Title: cannot create $SNAP_USER_DATA when using ecryptfs and sudo To manage notifications about this bug go to: https://bugs.launchpad.net/snap-confine/+bug/1612291/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
