[Bug 1606277] [NEW] log-observe interface is broken in latest snap-confine

[Jamie Strandboge]

Public bug reported:

The log-observe interface is broken due to how we handle bind mounts
now. This can be seen with 'snappy-debug':

$ sudo snap install snappy-debug
$ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
$ sudo /snap/bin/snappy-debug.security scanlog
kernel.printk_ratelimit = 0
Traceback (most recent call last):
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in 
<module>
    sys.exit(main())
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
    from_end=opt.only_new)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in __init__
    self.scan_log(log_file, snap_name, follow, from_end)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in 
scan_log
    log = open_file_read(log_file)
  File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in 
open_file_read
    orig = codecs.open(path, 'r', "UTF-8", errors="replace")
  File "/usr/lib/python3.5/codecs.py", line 895, in open
    file = builtins.open(filename, mode, buffering)
FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'

This is because /var/log/syslog is not available at runtime due to the bind 
mounts. This can be shown by installing hello-world, adjusting 
/var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be 
able to read any directory), reloading the profile, then doing:
$ hello-world.sh
...
bash-4.3$ ls /var/log/
alternatives.log  btmp   dpkg.log  fsck     watchdog
bootstrap.log     dmesg  faillog   lastlog  wtmp

This may also be a problem with other interfaces, I haven't checked
extensively, though it seems that /var/lib/extrausers (from the
nameservice abstraction) won't work right, and (at least) ppp
(/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
affected.

WORKAROUND for snappy-debug: launch outside of the launcher:
$ sudo SNAP=/snap/snappy-debug/current 
PATH=$PATH:/snap/snappy-debug/current/bin 
/snap/snappy-debug/current/bin/snappy-security scanlog

** Affects: snap-confine (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: snapd-interface

** Tags added: snapd-interface

** Description changed:

  The log-observe interface is broken due to how we handle bind mounts
  now. This can be seen with 'snappy-debug':
  
  $ sudo snap install snappy-debug
  $ sudo snap connect snappy-debug:log-observe ubuntu-core:log-observe
  $ sudo /snap/bin/snappy-debug.security scanlog
  kernel.printk_ratelimit = 0
  Traceback (most recent call last):
-   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in 
<module>
-     sys.exit(main())
-   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
-     from_end=opt.only_new)
-   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in 
__init__
-     self.scan_log(log_file, snap_name, follow, from_end)
-   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in 
scan_log
-     log = open_file_read(log_file)
-   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in 
open_file_read
-     orig = codecs.open(path, 'r', "UTF-8", errors="replace")
-   File "/usr/lib/python3.5/codecs.py", line 895, in open
-     file = builtins.open(filename, mode, buffering)
+   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 580, in 
<module>
+     sys.exit(main())
+   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 569, in main
+     from_end=opt.only_new)
+   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 92, in 
__init__
+     self.scan_log(log_file, snap_name, follow, from_end)
+   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 157, in 
scan_log
+     log = open_file_read(log_file)
+   File "/snap/snappy-debug/22/bin/snappy-security-scanlog", line 71, in 
open_file_read
+     orig = codecs.open(path, 'r', "UTF-8", errors="replace")
+   File "/usr/lib/python3.5/codecs.py", line 895, in open
+     file = builtins.open(filename, mode, buffering)
  FileNotFoundError: [Errno 2] No such file or directory: '/var/log/syslog'
- 
  
  This is because /var/log/syslog is not available at runtime due to the bind 
mounts. This can be shown by installing hello-world, adjusting 
/var/lib/snapd/apparmor/profiles/snap.hello-world.sh to have "/**/ r," (to be 
able to read any directory), reloading the profile, then doing:
  $ hello-world.sh
  ...
  bash-4.3$ ls /var/log/
  alternatives.log  btmp         dpkg.log  fsck     watchdog
  bootstrap.log   dmesg  faillog   lastlog  wtmp
  
  This may also be a problem with other interfaces, I haven't checked
  extensively, though it seems that /var/lib/extrausers (from the
  nameservice abstraction) won't work right, and (at least) ppp
  (/var/log/ppp) and timezone-control (/usr/share/zoneinfo) are also
  affected.
+ 
+ WORKAROUND for snappy-debug: launch outside of the launcher:
+ $ sudo SNAP=/snap/snappy-debug/current 
PATH=$PATH:/snap/snappy-debug/current/bin 
/snap/snappy-debug/current/bin/snappy-security scanlog

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1606277

Title:
  log-observe interface is broken in latest snap-confine

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snap-confine/+bug/1606277/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs