Debian Bug report logs - #851473
snapd fails to run when apparmor is enabled

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stéphane Graber <stgraber@stgraber.org>

To: submit@bugs.debian.org

Subject: snapd fails to run when apparmor is enabled

Date: Sun, 15 Jan 2017 12:25:57 +0200

[Message part 1 (text/plain, inline)]

Package: snapd
Severity: important
Version: 2.20-2

Hello,

On a clean stretch install, booted with apparmor enabled
(security=apparmor apparmor=1), snapd fails to run due to apparmor failures.

It appears to be caused by the fact that /lib is a symlink to /usr/lib,
with the symlinks getting resolved and so failing because the apparmor
profile only contains /lib paths.

There is that and a failure to execute snap-exec if I remember correctly.



It'd be great to have this fixed as snapd will very actively try to use
apparmor if it's enabled in the kernel. To the point where disabling the
apparmor profiles for snapd leads to another failure as snapd fails to
manually change profile then.

Stéphane

[signature.asc (application/pgp-signature, inline)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <michael.hudson@canonical.com>

To: Stéphane Graber <stgraber@stgraber.org>, 851473@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#851473: snapd fails to run when apparmor is enabled

Date: Mon, 16 Jan 2017 10:41:56 +1300

[Message part 1 (text/plain, inline)]

Hi,

I can reproduce this. It doesn't seem related to the /usr merge because
that was disabled with the stretch rc1 installer and it persists after
installing with that. Or maybe I'm just seeing the "failure to execute
snap-exec", I get this:

root@debian:~# hello.universe
execv failed: Permission denied
root@debian:~# journalctl | tail -n2
Jan 16 10:41:40 debian audit[600]: AVC apparmor="DENIED" operation="exec"
profile="/usr/lib/snapd/snap-confine" name="/usr/lib/snapd/snap-exec"
pid=600 comm="snap-confine" requested_mask="x" denied_mask="x" fsuid=0
ouid=0
Jan 16 10:41:40 debian kernel: audit: type=1400 audit(1484516500.606:8):
apparmor="DENIED" operation="exec" profile="/usr/lib/snapd/snap-confine"
name="/usr/lib/snapd/snap-exec" pid=600 comm="snap-confine"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0


So, um. Needs an apparmor person I think?

Cheers,
mwh

On 15 January 2017 at 23:25, Stéphane Graber <stgraber@stgraber.org> wrote:

> Package: snapd
> Severity: important
> Version: 2.20-2
>
> Hello,
>
> On a clean stretch install, booted with apparmor enabled
> (security=apparmor apparmor=1), snapd fails to run due to apparmor
> failures.
>
> It appears to be caused by the fact that /lib is a symlink to /usr/lib,
> with the symlinks getting resolved and so failing because the apparmor
> profile only contains /lib paths.
>
> There is that and a failure to execute snap-exec if I remember correctly.
>
>
>
> It'd be great to have this fixed as snapd will very actively try to use
> apparmor if it's enabled in the kernel. To the point where disabling the
> apparmor profiles for snapd leads to another failure as snapd fails to
> manually change profile then.
>
> Stéphane
>

[Message part 2 (text/html, inline)]

Message #20 received at 851473@bugs.debian.org (full text, mbox, reply):

From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

To: 851473@bugs.debian.org

Date: Mon, 16 Jan 2017 10:12:25 +0100

Hi

This is caused by the fact that the apparmor profile for snap-confine
was never actually tested or expected to work on Debian.

I think we should remove the profile when working on Debian until we
come to the point where snapd is fully tested on Debian or when all of
apparmor patches to the kernel are released upstream and available in
Debian.

If there is agreement to do this I will remove the snap-confine
apparmor profile.

Message #25 received at 851473-close@bugs.debian.org (full text, mbox, reply):

From: Michael Hudson-Doyle <michael.hudson@ubuntu.com>

To: 851473-close@bugs.debian.org

Subject: Bug#851473: fixed in snapd 2.27.2-1

Date: Thu, 17 Aug 2017 23:20:24 +0000

Source: snapd
Source-Version: 2.27.2-1

We believe that the bug you reported is fixed in the latest version of
snapd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851473@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Hudson-Doyle <michael.hudson@ubuntu.com> (supplier of updated snapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 18 Aug 2017 11:00:31 +1200
Source: snapd
Binary: golang-github-ubuntu-core-snappy-dev golang-github-snapcore-snapd-dev snapd snap-confine ubuntu-core-launcher
Architecture: source
Version: 2.27.2-1
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Michael Hudson-Doyle <michael.hudson@ubuntu.com>
Description:
 golang-github-snapcore-snapd-dev - snappy development go packages.
 golang-github-ubuntu-core-snappy-dev - transitional dummy package
 snap-confine - Transitional package for snapd
 snapd      - Tool to interact with Ubuntu Core Snappy.
 ubuntu-core-launcher - Transitional package for snapd
Closes: 851473
Changes:
 snapd (2.27.2-1) unstable; urgency=medium
 .
   * New upstream release.
   * Stop using single-debian-patch, split delta into separate patches.
   * Allow confining snap-confine even when --disable-apparmor is used.
   * Pass --enable-static-libcap to cmd/configure, as was always the intention.
   * Disable re-exec on Debian until core snap can cope with a partial apparmor
     implementation. (Closes: #851473)
Checksums-Sha1:
 02bc98e17e217288a16880aaec1e2f876ff3076b 3244 snapd_2.27.2-1.dsc
 823360904ca3d0af87445b83e6a602a79e1d89d1 1354254 snapd_2.27.2.orig.tar.gz
 6d568a088c01bd3b04936ddcf74f9ff0d6dd1484 56216 snapd_2.27.2-1.debian.tar.xz
Checksums-Sha256:
 13ad030fb88437d06f4f248277687683b7023be6008b3a9dde671dc8c087b909 3244 snapd_2.27.2-1.dsc
 02fcd1b5d897fb1d69409030ce54019c78520403c6131d356ea58b56cad3f558 1354254 snapd_2.27.2.orig.tar.gz
 de46faec492a3e72888b891a6ea3776a4a86520d9efa21b4d4f86a403c09bacf 56216 snapd_2.27.2-1.debian.tar.xz
Files:
 b788a5f60d7814adcdcc7154be025a18 3244 devel optional snapd_2.27.2-1.dsc
 9516d2a9cbc6757f9bf53dbc8e33433d 1354254 devel optional snapd_2.27.2.orig.tar.gz
 915c9d0be12279cc51cb458c62852a95 56216 devel optional snapd_2.27.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZliBoAAoJEBHfQpTMo5iTmNkQAMhVtbpVpMkD1Fe+44vYQdnZ
Tojy3p/S923vJAO8hhAGJ7oImn1rWHvkObLryKEp9ekI8FOayH4Uja4ZJzSbqAoA
2hh3IZGFcSllX8aJs6yzDjks5om0o12ygrlJcPaFJfxIo2s40DsvKJlA7z9Gw6bd
6Z/Twjkd5KsqoNQ+xFKbNM6ft6LZqwdoDu5o8h4Lis7i/Lpk73fBTy7wpptzFeUP
aGdbVypgno7p8AkcVqsY8QDl8u0hMorRuHlWX/KuttfjBKSXQJl6E1V7wy6qWEJf
DBVMRtzdotUYtzFOjrjUlzHO9R+ZJDArkG8eNdnveyIRcCiu1QE1y7eCx/y2eM7R
EJU3UANkF8N9bOOIPo784W46GMehrE8s2J3OJRVI1XgL6KiycXFr3hyZwAh/f1rh
g5TwwEZWO4kr+gBDVOsId5wQG4RcPtjN5uuFbfEYnvRMaFEJzD92bo5thVbDicKI
Yxd71b39bZVhC0UuMSQ5DPw7RxpweBy9qtXNJf0aozgsLC2KMynSH1bWZkgpQkqD
VmlAum1ybvAsRyc18ZMr36+q6bSMSOg/k31NEl2oyr+wZpUoAtd67JxyTMj2PA8w
PnXodA6QPpDMmSbh9FXUvASjCLkMJqUkig1KOZprscMT7A2e20RjvVUEl/vl3mRI
Bi8C2AuXGwkvrT0XGnKv
=/hqj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.