snaps with classic + jailmode confinement started to fail on zesty

This appears related to the recent zesty kernel update. If I use a xenial VM and update to the zesty kernel, I can reproduce. Eg:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

$ cat /proc/version_signature
Ubuntu 4.4.0-62.83-generic 4.4.40

$ sudo snap install --jailmode --classic python0
python0 0.9.1 from 'zygoon' installed

$ python0
>>> ctrl-D # it worked

Now install the zesty kernel and reboot:

$ cat /proc/version_signature
Ubuntu 4.10.0-8.10-generic 4.10.0-rc8

$ python0
/snap/python0/2/usr/bin/python0: error while loading shared libraries: libm.so.6: failed to map segment from shared object

with this denial:
apparmor="DENIED" operation="file_mmap" profile="snap.python0.python0" name="/snap/core/x1/lib/x86_64-linux-gnu/libm-2.23.so" pid=1299 comm="python0" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While '--classic' with '--jailmode' is a bit of a corner case, the change in mediation needs to be looked at.

Looking at the policy, we see this:

  # Read-only access to the core snap.
  @{INSTALL_DIR}/core/** r,

If we add this rule to classicJailmodeSnippet in interfaces/apparmor/template.go it works:

  @{INSTALL_DIR}/core/*/{,usr/}lib/@{multiarch}/{,**/}lib*.so* m,

This rule is fine to add to there, but it's a curious difference of behavior between 4.4 and 4.10. @jjohansen, can you comment?

AppArmor wise the zesty kernel has a set of fixes on that have not been released yet for xenial, or yakkety. However I wouldn't expect that set of patches to result in a change around file_mmap (at least not directly).

We could try a xenial kernel with the set of patches on it that are in zesty
http://people.canonical.com/~jj/linux+jj/

and I can try bisecting zesty to identify what is causing this change

@John -- i have accepted the same snapd into yakkety to allow some comparative testing.

I'll right I have chased this down

It is being caused by
a7409fe3 UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check

it appears that bug could also affect mmap checks on certain files.

The patch is correct and the enforcement must remain. This means the template needs to be updated as suggested.

Thank you for confirming this. I will make it happen.

Note: this same fix will be landing in xenial, yakkety, and trusty-hwe kernels. So the template will need to be updated everywhere.

The template change can land before the kernel change lands as it won't break policy on old kernels.

This is fixed by https://github.com/snapcore/snapd/pull/2935 (2.22) and https://github.com/snapcore/snapd/pull/2936 (master)

This was released in snapd 2.22.7 although only for new installs. Fix for existing installation will come in a 2.2x release (either 23 or 24)

We need to Breaks: snapd (<< 2.23.1~) to ensure this is upgraded before the new breaking kernels can hit.

This fix breaks Ubuntu 16.04: update-manager did a partial update. It elected to keep snapd (2.22.6) and remove linux-generic and linux-image-generic. This plus a kernel update (4.4.0.67), I ended up with kernel 4.4.0.67 without linux-image-extras of the same version. After reboot, no network, no sound, and so on.

@Denis -- your issue was caused by an attempt to back out the snapd update to 2.23.1 in the archive without also backing out the linux updates that depended on it. These have now been rolled back also pending a fix for the underlying issue (a dpkg bug trigging upgrade failures).

This bug was fixed in the package linux - 4.4.0-70.91

---------------
linux (4.4.0-70.91) xenial; urgency=low

  * linux: 4.4.0-70.91 -proposed tracker (LP: #1674938)

  * snaps with classic + jailmode confinement started to fail on zesty
    (LP: #1666897)
    - Revert "UBUNTU: SAUCE: apparmor: fix link auditing failure due to,
      uninitialized var"
    - Revert "UBUNTU: SAUCE: fix regression with domain change in complain mode"
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on
      cache check"
    - Revert "UBUNTU: SAUCE: apparmor: null profiles should inherit parent control
      flags"
    - Revert "UBUNTU: SAUCE: apparmor: fix ns ref count link when removing
      profiles from policy"
    - Revert "UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec
      when using stacked namespaces"
    - Revert "UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup
      fails"
    - Revert "UBUNTU: SAUCE: apparmor: Don't audit denied access of special
      apparmor .null file"
    - Revert "UBUNTU: SAUCE: apparmor: fix label leak when new label is unused"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count bug in
      label_merge_insert()"
    - Revert "UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata"
    - Revert "UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets"

 -- Stefan Bader <email address hidden> Wed, 22 Mar 2017 09:28:43 +0100

This bug was fixed in the package linux - 4.8.0-44.47

---------------
linux (4.8.0-44.47) yakkety; urgency=low

  * linux: 4.8.0-44.47 -proposed tracker (LP: #1674986)

  * snaps with classic + jailmode confinement started to fail on zesty
    (LP: #1666897)
    - Revert "UBUNTU: SAUCE: apparmor: fix link auditing failure due to,
      uninitialized var"
    - Revert "UBUNTU: SAUCE: fix regression with domain change in complain mode"
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on
      cache check"
    - Revert "UBUNTU: SAUCE: apparmor: null profiles should inherit parent control
      flags"
    - Revert "UBUNTU: SAUCE: apparmor: fix ns ref count link when removing
      profiles from policy"
    - Revert "UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec
      when using stacked namespaces"
    - Revert "UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup
      fails"
    - Revert "UBUNTU: SAUCE: apparmor: Don't audit denied access of special
      apparmor .null file"
    - Revert "UBUNTU: SAUCE: apparmor: fix label leak when new label is unused"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count bug in
      label_merge_insert()"
    - Revert "UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata"
    - Revert "UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets"

linux (4.8.0-42.45) yakkety; urgency=low

  * linux: 4.8.0-42.45 -proposed tracker (LP: #1671176)

  * Regression in 4.4.0-65-generic causes very frequent system crashes
    (LP: #1669611)
    - Revert "UBUNTU: SAUCE: apparmor: fix lock ordering for mkdir"
    - Revert "UBUNTU: SAUCE: apparmor: fix leak on securityfs pin count"
    - Revert "UBUNTU: SAUCE: apparmor: fix reference count leak when
      securityfs_setup_d_inode() fails"
    - Revert "UBUNTU: SAUCE: apparmor: fix not handling error case when
      securityfs_pin_fs() fails"

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: s...