Snappy

gvfs confinement issues

Bug #1592901 reported by Reinhard Pointner on 2016-06-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	Medium	Jamie Strandboge

Bug Description

When users access network shares, these shares will be mounted into the file system at /run/user/<UID>/gvfs/ so network shares can be accessed via the local filesystem.

Currently, the snappy interface `home` allows snaps to access the user home, but not the users network shares at /run/user/<UID>/gvfs/ that should be accessible to snaps as well.

Either interface `home` needs to be extended to also grant permissions for the users gvfs folder, or an additional interface is required.

Long story short, confined snaps should be able to access network shares mounted at /run/user/<UID>/gvfs/ the same way unconfined apps can.

Tags:

Revision history for this message

Mark Shuttleworth (sabdfl) wrote on 2016-06-15: Re: [Bug 1592901] [NEW] gvfs confinement issues

Thank you Reinhard. Is the convention that these gvfs mounts are "part
of the home directory"? If so then we don't need a separate interface,
let's just extend the existing home interface.

Mark

Revision history for this message

Reinhard Pointner (filebot) wrote on 2016-06-15:

I'd say so. It's files the user has access to. I'd vote for extending the home interface as well, unless somebody has a good counter argument.

Jamie Strandboge (jdstrand) on 2016-06-16

tags:	added: snapd-interface removed: gvfs home interfaces network shares
Changed in snappy:
status:	New → Triaged
assignee:	nobody → Jamie Strandboge (jdstrand)

Jamie Strandboge (jdstrand) on 2016-06-22

Changed in snappy:
status:	Triaged → In Progress
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-23:

This is merged and will be in 2.0.10.

Changed in snappy:
status:	In Progress → Fix Committed

Revision history for this message

Chris J Arges (arges) wrote on 2016-06-29: Please test proposed package

Hello Reinhard, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.0.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags:

added: verification-needed

Revision history for this message

Reinhard Pointner (filebot) wrote on 2016-06-30:

Hi Chris,

I've tried a few things and as far as file permissions are concerned it looks good.

I haven't been able to fully test it with my application though because I haven't managed to get g_vfs_get_file_for_uri (GVfs *vfs, const char *uri) working within the sandbox.

Cheers, Reinhard

Jamie Strandboge (jdstrand) on 2016-06-30

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Steve Langasek (vorlon) wrote on 2016-07-08: Update Released

The verification of the Stable Release Update for snapd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-07-27:

This is fixed in snapd 2.11+16.10 on Ubuntu 16.10 and snapd 2.0.10 on 16.04 LTS.

Changed in snappy:
status:	Fix Committed → Fix Released

Revision history for this message

Reinhard Pointner (filebot) wrote on 2016-11-24:

I still have issues with listing the contents of /run/user/1000/gvfs

Sandboxed apps should be able to list the contents of /run/user/1000/gvfs otherwise it would be impossible to access network storage without already knowing the exact gvfs folder name.

This should list mounted network storage folders, but it fails in the sandbox:

$ ls -l /run/user/1000/gvfs
ls: cannot open directory '/run/user/1000/gvfs': Permission denied

(It should list "afp-volume:host=10.0.1.5,user=reinhard,volume=data")

This works fine:

$ ls -l /run/user/1000/gvfs/afp-volume:host=10.0.1.5,user=reinhard,volume=data
drwxrwxrwx 1 reinhard reinhard 0 May 21 2016 Archive
...

Revision history for this message

Reinhard Pointner (filebot) wrote on 2016-11-24:

Partially fixed. Still issues with listing the gvfs folder.

Changed in snappy:
status:	Fix Released → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-11-28:

#10

Reinhard, can you file a new bug for the directory listing? Thanks!

Changed in snappy:
status:	Confirmed → Fix Released

Revision history for this message

Reinhard Pointner (filebot) wrote on 2016-11-28:

#11

New bug report => https://bugs.launchpad.net/snappy/+bug/1645413

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.