apparmor denial using ptmx char device
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snap-confine |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
linux (Ubuntu) |
Confirmed
|
Undecided
|
Tyler Hicks | ||
snap-confine (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
snap-confine would refuse to work on an older kernel running on an Nvidia Tegra X1 board. This was traced to a bug in older version of apparmor there that required directory-like syntax for /dev/pts/ptmx (with a trailing slash).
This bug is fixed by adding an apparmor rule, identical to the normal rule, with an extra slash. Older kernels will use the new rule while current kernels will just ignore it.
[Test Case]
On an Nvidia Tegra X1 board, running 3.10.96 snap-confine should no longer fail to start. On Ubuntu Xenial (all architectures) there should be no perceived change.
Snap-confine is carefully tested with a battery of spread tests that can be found here: https:/
The test cases are ran automatically for each pull request and for each final release.
All those tests were executed successfully for this release. As a simple test case consider running any snap (any at all, including hello-world).
[Regression Potential]
* Regression potential is minimal as the fix simply adds another apparmor rule that grants additional permissions that are only picked up by old buggy kernels.
* The fix was tested on Ubuntu via spread.
[Other Info]
* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.
* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.
* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https:/
== # Pre-SRU bug description follows # ==
- Finding issues running snaps (hello-world).
- Same issue even installing with --devmode. Even running the snap binary as root
- Using a custom kernel, this is on an Nvidia Tegra X1 custom board.
=======
ubuntu@localhost:~$ hello-world.echo plop
unable to mount '/dev/pts/
ubuntu@localhost:~$ sudo hello-world.echo plop
unable to mount '/dev/pts/
dmesg shows:
=======
[ 302.838046] type=1400 audit(145520837
operation="mount" info="failed mntpnt match" error=-13 parent=911
profile=
comm="ubuntu-
[ 308.080449] type=1400 audit(145520837
operation="mount" info="failed mntpnt match" error=-13 parent=914
profile=
comm="ubuntu-
This is with the "hello-world" snap installed with "snap install"
Output of an ls over the device file:
=======
ubuntu@localhost:~$ ls -lR /dev/ptmx /dev/pts
crw-rw-rw- 1 root tty 5, 2 Feb 11 16:28 /dev/ptmx
/dev/pts:
total 0
c--------- 1 root root 5, 2 Jan 1 1970 ptmx
tags: | added: apparmor |
Changed in snappy: | |
status: | New → Incomplete |
Changed in snappy: | |
status: | Incomplete → New |
Changed in snap-confine: | |
milestone: | none → 1.0.40 |
status: | In Progress → Fix Committed |
Changed in snap-confine: | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in snap-confine (Ubuntu): | |
status: | New → Fix Released |
no longer affects: | linux (Ubuntu Xenial) |
Changed in snap-confine (Ubuntu Xenial): | |
status: | New → In Progress |
Thanks for the bug report. We've discussed this on IRC and in a private email thread. I'll summarize here:
"Basically the launcher wants to mount /dev/pts/ptmx on /dev/ptmx and there are
apparmor rules in the launcher's apparmor profile that allow that. However, the
denial is for 'name="/dev/ptmx/"' -- notice the trailing '/' in /dev/ptmx/ --
this is not allowed by the launcher's profile and /dev/ptmx should be a file,
not a directory. From 'man pts': "The file /dev/ptmx is a character file with
major number 5 and minor number 2, ...".
There appears to be a problem with your system, perhaps udev rules. How are your
/dev/ptmx and /dev/pts being setup before any snaps are run (including snaps
with daemons started by systemd)? Are you using a custom kernel, gadget and/or
os snap?"
Can you provide the following:
1. uninstall all app snaps, reboot then provide the output of 'ls -lR /dev/ptmx /dev/pts'
2. 'snap install hello-world' and then run 'hello-world.echo foo', then provide the output of 'ls -lR /dev/ptmx /dev/pts'
3. What kernel snap are you using? If custom, can you attach it?
4. What gadget snap are you using? If custom, can you attach it?
5. What device are you targeting? (eg, amd64 VM, rpi2, rpi3, etc)
Thanks!