updated plug of system-files with additional read/write does not get updated apparmor profile on refresh
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
High
|
Paweł Stołowski |
Bug Description
With this snap built locally and installed:
```
name: test-system-
version: 0.1
plugs:
foo:
interface: system-files
write:
- /etc/resolv.conf
apps:
bin:
command: bin.sh
```
if you manually connect the foo plug, you will see apparmor policy generated for /etc/resolv.conf.
Then if you update the snap.yaml to this:
```
name: test-system-
version: 0.2
plugs:
foo:
interface: system-files
write:
- /etc/resolv.conf
- /etc/foo.conf
apps:
bin:
command: bin.sh
```
and then refresh the snap, the AppArmor profile is not updated to take into account the foo.conf too. If you disconnect the interface and then re-connect the interface, then AppArmor rules for /etc/foo.conf show up.
I have proposed a regression test which we can use to verify the fix at https:/ /github. com/snapcore/ snapd/pull/ 10707