** Description changed: [Impact] When porting snappy to our reference device -- m10 (xenial, arm64, kernel-3.10), execution of hello-world command from the hello-world snap fails due to the lack of appropriate permission in apparmor. It turns out ptrace is used between snap-confine and its mount helper, and the corresponding trace/tracedby permissions are not granted. Merge proposal https://github.com/snapcore/snap-confine/pull/170 addressed this issue. [Test Case] 1. flash m10 with images from frieza_arm64 channel, 2. install snapd. You may need to setup networking, remount root filesystem as read-write first. 3. install hello-world snap 4. run `hello-world` [Regression Potential] - TBD + This patch grants extra options carried to ptrace calls between snap- + confine and mount-namespace-capture-helper only. However, this grants + additional permission to ptrace options, so at least it means a certain + level of security risk. Considering mount-namespace-capture-helper is + actually snap-confine itself forked with apparmor change-hat trick, the + effect to other part of the system, and possible regression should be + pretty limited. [Other Info] * snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates == # Pre-SRU bug description follows # == [ 2526.693811] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:434): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=30640 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine" [ 2526.693845] (1)[30640:ubuntu-core-lau]type=1400 audit(1476430414.677:435): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine" pid=30640 comm="ubuntu-core-lau" requested_mask="readby" denied_mask="readby" peer="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" [ 3512.751438] (1)[8128:ubuntu-core-lau]type=1400 audit(1476431400.737:502): apparmor="DENIED" operation="ptrace" profile="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=8128 comm="ubuntu-core-lau" requested_mask="read" denied_mask="read" peer="/usr/lib/snapd/snap-confine" So we need to modify /etc/apparmor.d/usr.lib.snapd.snap-confine as: /usr/lib/snapd/snap-confine flags=(attach_disconnected) { ... ptrace (read, readby, tracedby) ... ^mount-namespace-capture-helper flags=(attach_disconnected) { ... ptrace (read, trace, tracedby) ...
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1633367 Title: missing ptrace options needed by snap-confine To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1633367/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
