Snapd Update: Changes to mount behavior in snaps due to security fix

Dear Snapd Community,

We want to inform you about a significant change in the mount behaviour of snaps due to an apparmor security update included in snapd version 2.65 onwards.


Action Required

We recommend testing all snaps that use the mount-control interface with snapd version 2.66.1, which is available in the candidate channel. This snapd version is scheduled to move to stable expected by 29 November.


Problem

Mount control plug definitions containing combinations of mutually exclusive options like rw|ro or sync|async will now result in an interface connection error, typically containing the text: “conflicting flag values …” This has always been the intended behaviour, but these flags are now being enforced as part of the security update.

Example of an incorrect plug definition:

sd-mount-control:
    interface: mount-control
    mount:
      - what: /dev/mmcblk1p3
        where: $SNAP_COMMON/sd
        type: [fat]
        [ro, rw, nosuid, noexec]

List of mutually exclusive options pairs:

  • ro rw
  • suid nosuid
  • dev nodev
  • exec noexec
  • sync async
  • mand nomand
  • atime noatime
  • diratime nodiratime
  • silent loud
  • acl noacl
  • relatime norelatime
  • iversion noiversion
  • user nouser

Updating Plug Definitions

For the identified snaps, please create separate entries for mutually exclusive options such as rw|ro and sync|async.

Example of corrected plug declaration:

sd-mount-control:
    interface: mount-control
    mount:
      - what: /dev/mmcblk1p3
        where: $SNAP_COMMON/sd
        type: [fat]
        options: [ro, nosuid, noexec]
      - what: /dev/mmcblk1p3
        where: $SNAP_COMMON/sd
        type: [fat]
        options: [rw, nosuid, noexec]

If you have any questions, please feel free to reach out

Best regards

The Snapd Team