Public bug reported:
Ubuntu MATE 17.10 images include pulsemixer as a snap preinstalled.
This snap doesn't work as part of the live system, because it's a
confined snap, which means apparmor mediation is in effect.
The apparmor profiles end up blocking everything, because the livefs
uses an overlay filesystem (possibly currently aufs instead of
overlayfs, this bears checking - but we can assume this should be
overlayfs going forward), and from the kernel's perspective, none of the
paths that the process is trying to access match the ones in the
apparmor profile because the "real" paths on the filesystem are all
/rofs/[...] instead of /[...].
As snaps become increasingly integrated in Ubuntu, we will need them working in
live sessions also. Talking with jdstrand, there are two possible options here:
- do work in snapd / apparmor to detect overlay and handle the mapping of
paths in the apparmor profile
- have snapd detect overlay and disable apparmor confinement for these snaps.
I think this needs to be resolved for 18.04.
The issue does not affect classic confined snaps on live environments,
due to the lack of apparmor profile being applied. (I.e. subiquity works
fine as a snap)
** Affects: snapd (Ubuntu)
Importance: High
Status: New
** Affects: snapd (Ubuntu Bionic)
Importance: High
Status: New
** Tags: snaps-in-main
** Tags added: snaps-in-main
** Changed in: snapd (Ubuntu)
Importance: Undecided => High
** Also affects: snapd (Ubuntu Bionic)
Importance: High
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1729867
Title:
confined snaps don't work on live images due to apparmor path mapping
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1729867/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
