Ubuntu
snap-confine package

log-observe interface is broken in latest snap-confine

Bug #1606277 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snap-confine
Fix Released
Critical
Zygmunt Krynicki
snap-confine 1.0.39
snap-confine (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned

Bug Description

[Impact]

The snapd interface "log-observe" is broken due to how we handle bind mounts.

This bug is fixed by adding /var/log to a list of directories that are bind mounted and thus visible to snaps in their execution environment.

For more information about the execution environment, please see this article http://www.zygoon.pl/2016/08/snap-execution-environment.html

[Test Case]

The test case can be found here:

https://github.com/snapcore/snap-confine/blob/master/spread-tests/regression/lp-1606277/task.yaml

The test case is ran automatically for each pull request and for each final release. It can be reproduced manually by executing the shell commands listed in the prepare/execute/restore phases manually.
The commands there assume that snapd and snap-confine are installed.
No other additional setup is necessary.

[Regression Potential]

 * Regression potential is minimal as the fix simply adds another directory to a list of directories that needs to be bind mounted.

* The fix was tested on Ubuntu via spread and on several other distributions successfully.

[Other Info]

* This bug is a part of a major SRU that brings snap-confine in Ubuntu 16.04 in line with the current upstream release 1.0.41.

* This bug was included in an earlier SRU and is now fixed in Ubuntu. I am updating the template here to ensure that the process is fully documented from 1.0.38 all the way up to the current upstream release 1.0.41.

* snap-confine is technically an integral part of snapd which has an SRU exception and is allowed to introduce new features and take advantage of accelerated procedure. For more information see https://wiki.ubuntu.com/SnapdUpdates

== # Pre-SRU bug description follows # ==

The log-observe interface is broken due to how we handle bind mounts now. This can be seen with 'snappy-debug':

$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in <module>
    sys.exit(main())
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
    from_end=opt.only_new)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
    self.scan_log(log_file, snap_name, follow, from_end)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in scan_log
    log = open_file_read(log_file)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in open_file_read
    orig = codecs.open(path, 'r', "UTF-8", errors="replace")
  File "/usr/lib/python3.5/codecs.py", line 895, in open
    file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'

This is because /var/log/syslog is not available at runtime due to the bind mounts. This can be shown by installing hello-world, adjusting /var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log btmp dpkg.log fsck watchdog
bootstrap.log dmesg faillog lastlog wtmp

This may also be a problem with other interfaces, I haven't checked extensively, though it seems that /var/lib/extrausers (from the nameservice abstraction) won't work right, and (at least) ppp (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also affected.

WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current PATH=$PATH:/snap/snappy-debug/current/bin /snap/snappy-debug/current/bin/snappy-security scanlog

See original description
Jamie Strandboge (jdstrand)
tags: added: snapd-interface
description: updated
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Ah, I'm sorry, I will fix this ASAP and issue a new release.

Changed in snap-confine:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Zygmunt Krynicki (zyga)
milestone: none → 1.0.39
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This is fixed by the following pull request: https://github.com/snapcore/snap-confine/pull/93

Zygmunt Krynicki (zyga)
Changed in snap-confine:
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Jamie, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.38-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: regression-proposed
Changed in snap-confine (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

1.0.38-2 is still affected. Marking as In Progress because the snappy team is working to get 1.0.39 there too.

Changed in snap-confine (Ubuntu Yakkety):
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

1.0.38-0ubuntu0.16.04.3 resolves the issue. Thanks!

tags: added: verification-done
removed: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

FYI, I just noticed this bug when trying snap-confine from xenial-proposed.

https://bugs.launchpad.net/snappy/+bug/1607796

tags: added: verification-failed
removed: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snap-confine - 1.0.38-3

---------------
snap-confine (1.0.38-3) unstable; urgency=medium

  * debian/patches/prctl-compatibility.patch: add shadow definitions for
    compatibility with older kernel headers.
  * drop build-dependency on shellcheck, which is not used at build time
    and doesn't exist in trusty.
  * make ubuntu-core-launcher "arch:any" to workaround an issue in
    rm_conffile which does not deal with changing architectures
  * fix log-observer interface regression (LP: #1606277)

 -- Steve Langasek <email address hidden> Thu, 28 Jul 2016 21:00:38 +0000

Changed in snap-confine (Ubuntu Yakkety):
status: In Progress → Fix Released
Mathew Hodson (mhodson)
Changed in snap-confine (Ubuntu Xenial):
importance: Undecided → Medium
Changed in snap-confine (Ubuntu Yakkety):
importance: Undecided → Medium
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted 1.0.38-0ubuntu0.16.04.4 into xenial-proposed which is supposed to fix the regression.

tags: added: verification-needed
removed: regression-proposed verification-failed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This bug was actually fixed in 1.0.38-0ubuntu0.16.04.3 and it continues to be fixed in 1.0.38-0ubuntu0.16.04.4.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed 1.0.38-0ubuntu0.16.04.3 in xenial.

Changed in snap-confine (Ubuntu Xenial):
status: Fix Committed → Fix Released
Zygmunt Krynicki (zyga)
description: updated
description: updated
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Jamie, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.42-0ubuntu3~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snap-confine (Ubuntu Xenial):
status: Fix Released → In Progress
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Jamie, or anyone else affected,

Accepted snap-confine into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snap-confine/1.0.43-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Ara Pulido (ara) wrote :

This was already verified in .38, so marking as verification-done

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snap-confine - 1.0.43-0ubuntu1~16.04.1

---------------
snap-confine (1.0.43-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * Backport from 16.10 (LP: #1630040)

snap-confine (1.0.43-0ubuntu1) yakkety; urgency=medium

  * New upstream release (LP: #1630479, LP: #1630492, LP: #1628612)
  * debian/patches/lp1630789.patch: allow running snaps by non-root users in
    LXD containers (LP: #1630789)

snap-confine (1.0.42-0ubuntu3) yakkety; urgency=medium

  * allow snap-confine to mount on /dev/pts/ptmx for LXD with /dev/ptmx
    symlink

snap-confine (1.0.42-0ubuntu2) yakkety; urgency=medium

  * add mmap to AppArmor policy for snap-confine for running snap-confine
    under LXD on 4.8 kernels

snap-confine (1.0.42-0ubuntu1) yakkety; urgency=medium

  * New upstream release
  * Drop patch skip-nsfs-magic-tests-on-old-kernels.patch (applied upstream)

snap-confine (1.0.41-0ubuntu2) yakkety; urgency=medium

  * add skip-nsfs-magic-tests-on-old-kernels.patch to disable NSFS tests on
    kernels older than 3.19 (LP: #1625565)

snap-confine (1.0.41-0ubuntu1) yakkety; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.41
  * Drop all patches (included upstream).
  * Add version to apparmor run-time dependency.

snap-confine (1.0.40-1) unstable; urgency=medium

  * New upstream release, full list of issues is available at
    https://launchpad.net/snap-confine/+milestone/1.0.40
  * Drop apparmor profile from the debian/ directory and install it straight
    from upstream package. This is now automatically consistent with package
    configuration prefix.
  * Drop patch: prctl-compatibility.patch(applied upstream)
  * Add directory /var/lib/snapd/void to snap-confine
  * Add patch: 0001-Don-t-shellcheck-files-spread-prepare-script.patch that
    fixes make check due to a mistake upstream.
  * Add patch: 0001-Stop-using-deprecated-readdir_r.patch (LP: #1615615)

snap-confine (1.0.39-1) unstable; urgency=medium

  * New upstream release.
  * Remove d/patches/01_lp1606277.patch, applied upstream.

snap-confine (1.0.38-3) unstable; urgency=medium

  * debian/patches/prctl-compatibility.patch: add shadow definitions for
    compatibility with older kernel headers.
  * drop build-dependency on shellcheck, which is not used at build time
    and doesn't exist in trusty.
  * make ubuntu-core-launcher "arch:any" to workaround an issue in
    rm_conffile which does not deal with changing architectures
  * fix log-observer interface regression (LP: #1606277)

snap-confine (1.0.38-2) unstable; urgency=medium

  * Fix invocations of rm_conffile.
  * Update d/usr.lib.snapd.snap-confine to the latest upstream version to
    ensure content-sharing fully works.

snap-confine (1.0.38-1) unstable; urgency=medium

  * New upstream release.

 -- Jamie Strandboge <email address hidden> Thu, 06 Oct 2016 14:51:26 +0000

Changed in snap-confine (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for snap-confine has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.