Snapctl permission denied with latest edge core update

ogra · July 24, 2018, 4:52pm

snapctl moved from /usr/bin to /usr/lib/snapd/ recently … apparmor profiles were updated for this …

but after an ubuntu core image running the edge channel updated the core snap, all of a sudden i see snapctl permission denied errors when calling any configure hooks …

checking the apparmor profile of the respective app shows:

# snapctl and its requirements
/usr/bin/snapctl ixr,
/usr/lib/snapd/snapctl ixr,

and calling apparmor_parser -r on this profile file, makes the configure hook work again …

after a reboot the problem is back.

@zyga-snapd nailed it down to the apparmor cache having a wrong timestamp …

there is an issue between our fixrtc script that sets the clock to the last mount time and the snapd shutdown helper that shuts down the system in a way that the superblock of /writable does not get updated (which indeed makes the filesystem not update last mount time and last write time).

zyga-snapd · July 24, 2018, 4:57pm

I independently posted the details on the thread about apparmor cache bugs that is really the same thing: Apparmor profile caching

zyga-snapd · July 24, 2018, 4:59pm

CC @mvo this is a release blocker or configure scripts on pi* will all explode on next stable release. Let’s discuss tomorrow.

zyga-snapd · July 25, 2018, 2:51pm

This affects on any upgrade form and older version to the one that moved snapctl binary around.

jdstrand · July 25, 2018, 3:42pm

You could unblock the release by simply putting snapctl back where it was, and then fix the time issue in a future update.