Dear Snapd Community,
We want to inform you about a significant change in the mount behaviour of snaps due to an apparmor security update included in snapd version 2.65 onwards.
Action Required
We recommend testing all snaps that use the mount-control interface with snapd version 2.66.1, which is available in the candidate channel. This snapd version is scheduled to move to stable expected by 29 November.
Problem
Mount control plug definitions containing combinations of mutually exclusive options like rw|ro or sync|async will now result in an interface connection error, typically containing the text: “conflicting flag values …” This has always been the intended behaviour, but these flags are now being enforced as part of the security update.
Example of an incorrect plug definition:
sd-mount-control:
interface: mount-control
mount:
- what: /dev/mmcblk1p3
where: $SNAP_COMMON/sd
type: [fat]
[ro, rw, nosuid, noexec]
List of mutually exclusive options pairs:
- ro rw
- suid nosuid
- dev nodev
- exec noexec
- sync async
- mand nomand
- atime noatime
- diratime nodiratime
- silent loud
- acl noacl
- relatime norelatime
- iversion noiversion
- user nouser
Updating Plug Definitions
For the identified snaps, please create separate entries for mutually exclusive options such as rw|ro and sync|async.
Example of corrected plug declaration:
sd-mount-control:
interface: mount-control
mount:
- what: /dev/mmcblk1p3
where: $SNAP_COMMON/sd
type: [fat]
options: [ro, nosuid, noexec]
- what: /dev/mmcblk1p3
where: $SNAP_COMMON/sd
type: [fat]
options: [rw, nosuid, noexec]
If you have any questions, please feel free to reach out
Best regards
The Snapd Team