docker-support/multipass-support broken with system apparmor3 (20.10)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker |
Fix Released
|
Unknown
|
|||
snapd |
Fix Released
|
Critical
|
Alex Murray | ||
snapd (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
The docker-support and multipass-support interfaces allow access to /sbin/apparmor_
/sbin/apparmor_
/etc/apparmor* comes from the host, which on groovy has apparmor3.
Snaps using docker-support and multipass-support are completely broken on groovy when using core and core18. On core20, policy loads with warnings.
Transparent solution is to ship the /etc/apparmor and /etc/apparmor.d in the base snaps, and bind mount these into place (eg, via snap-confine or snap-update-ns).
Snaps can workaround this themselves with layouts (while we should not force this on publishers, this could be done to unbreak a snap before the fix is in place).
Note, there are plans to vendor apparmor3 into snapd for cross-distro support and that will happen in the 21.04 cycle. However, that doesn't fix snaps that plugs docker-support and multipass-support and load their own policy.
# core
$ cat /tmp/core.profile
#include <tunables/global>
profile test-core-profile {
#include <abstractions/base>
}
$ sudo /snap/core/
/snap/core/
AppArmor parser error for /tmp/core.profile in /etc/apparmor.
[1]
$ sudo aa-status | grep test-core
[1]
# core18
$ cat /tmp/core18.profile
#include <tunables/global>
profile test-core18-parser {
#include <abstractions/base>
}
$ sudo /snap/core18/
/snap/core18/
AppArmor parser error for /tmp/core18.profile in /etc/apparmor.
[1]
$ sudo aa-status | grep test-core18
[1]
# core20
$ cat /tmp/core20.profile
#include <tunables/global>
profile test-core20-parser {
#include <abstractions/base>
}
$ sudo /snap/core20/
/snap/core20/
Warning from /tmp/core20.profile (/etc/apparmor.
$ sudo aa-status | grep test-core20
test-
Changed in snapd: | |
status: | New → Triaged |
importance: | Undecided → Critical |
assignee: | nobody → Alex Murray (alexmurray) |
Changed in snapd (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Critical |
milestone: | none → ubuntu-20.10 |
description: | updated |
description: | updated |
Changed in docker: | |
status: | Unknown → New |
Changed in snapd: | |
status: | In Progress → Fix Released |
Changed in docker: | |
status: | New → Fix Released |
We could use snap-update-ns to hide the host's /etc if those specific interfaces are connected. We could then present the relevant file from the base snap.