** Description changed:
The docker-support and multipass-support interfaces allow access to
/sbin/apparmor_parser.
/sbin/apparmor_parser is supplied by the core, core18 and core20 base
snaps.
/etc/apparmor* comes from the host, which on groovy has apparmor3.
Snaps using docker-support and multipass-support are completely broken
on groovy when using core and core18. On core20, policy loads with
warnings.
Transparent solution is to ship the /etc/apparmor and /etc/apparmor.d in
- the base snaps, and bind mount these into place (eg, via snap-confine).
+ the base snaps, and bind mount these into place (eg, via snap-confine or
+ snap-update-ns).
- Snaps can fix themselves with layouts.
+ Snaps can workaround this themselves with layouts (while we should not
+ force this on publishers, this could be done to unbreak a snap before
+ the fix is in place).
Note, there are plans to vendor apparmor3 into snapd for cross-distro
support and that will happen in the 21.04 cycle. However, that doesn't
fix snaps that plugs docker-support and multipass-support and load their
own policy.
# core
$ cat /tmp/core.profile
#include <tunables/global>
profile test-core-profile {
#include <abstractions/base>
}
$ sudo /snap/core/current/sbin/apparmor_parser -r /tmp/core.profile
/snap/core/current/sbin/apparmor_parser: unknown option (policy-features) in
config file.
AppArmor parser error for /tmp/core.profile in /etc/apparmor.d/tunables/etc
at line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core
[1]
# core18
$ cat /tmp/core18.profile
#include <tunables/global>
profile test-core18-parser {
#include <abstractions/base>
}
$ sudo /snap/core18/current/sbin/apparmor_parser -r /tmp/core18.profile
/snap/core18/current/sbin/apparmor_parser: unknown option (policy-features)
in config file.
AppArmor parser error for /tmp/core18.profile in /etc/apparmor.d/tunables/etc
at line 25: Could not open 'if'
[1]
$ sudo aa-status | grep test-core18
[1]
# core20
$ cat /tmp/core20.profile
#include <tunables/global>
profile test-core20-parser {
#include <abstractions/base>
}
$ sudo /snap/core20/current/sbin/apparmor_parser -r /tmp/core20.profile
/snap/core20/current/sbin/apparmor_parser: unknown option (policy-features)
in config file.
Warning from /tmp/core20.profile (/etc/apparmor.d/abstractions/base line 13):
/snap/core20/current/sbin/apparmor_parser: Profile abi not supported, falling
back to system abi.
$ sudo aa-status | grep test-core20
test-core20-parser
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898038
Title:
docker-support/multipass-support broken with system apparmor3 (20.10)
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1898038/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
