fix mount regression in 3.1.5
Mount has regressed in two ways. That are affecting snapd confinement, since landing the mount fixes for CVE-2016-1585 in 3.1.4 and the fix for the mount change type regression in 3.1.5
Bug Reports:
https://bugs.launchpad.net/apparmor/+bug/2023814
https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Issue 1: Denial of Mount
[ 808.531909] audit: type=1400 audit(1686759578.010:158): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="snap-update-ns.test-snapd-lp-1803535" name="/tmp/.snap/etc/" pid=14529 comm="5" srcname="/etc/" flags="rw, rbind"when the profile contains a rule that should match
mount options=(rw, rbind) "/etc/" -> "/tmp/.snap/etc/",Issue 2: change_type failure. Denial of Mount in log
type=AVC msg=audit(1686977968.399:763): apparmor="DENIED" operation="mount" class="mount" info="failed flags match" error=-13 profile="snap-update-ns.authy" name="/var/cache/fontconfig/" pid=26702 comm="5" srcname="/var/lib/snapd/hostfs/var/cache/fontconfig/" flags="rw, bind"
...snapd error
- Run configure hook of "chromium" snap if present (run hook "configure":
-----
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/doc /usr/share/doc none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): permission denied
update.go:85: cannot change mount namespace according to change mount (/var/snap/cups/common/run /var/cups none bind,rw 0 0): permission denied
cannot update snap namespace: cannot create writable mimic over "/snap/chromium/2475": permission denied
snap-update-ns failed with code 1and NO mount rules in the profiles.