On Tue, 2016-10-25 at 08:24 +0200, Didier Roche wrote: > Le 24/10/2016 à 21:52, Dan Kegel a écrit : > > > > I'm trying to snap a largish package; works fine in devmode, > > but as the app likes to use unix sockets and fifos, it fails in > > confined mode with > > > > $ sudo /snap/bin/snappy-debug.security scanlog > > = AppArmor = > > Time: Oct 24 11:41:09 > > Log: apparmor="DENIED" operation="sendmsg" profile="snap.foo" pid=8536 > > comm="foo" family="unix" sock_type="dgram" protocol=0 > > requested_mask="send" denied_mask="send" addr=none > > peer_addr="@6E76696469613561653734343766000000000000000000000000000000000000 > > 00000000000000000000000000000000000000000000000000000000000000" > > peer="unconfined" > > > > = Seccomp = > > Time: Oct 24 11:41:09 > > Log: auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=8536 > > comm="foo" exe="/snap/foo/x7/bin/foo" sig=31 arch=c000003e 133(mknod) > > compat=0 ip=0x7f17f6fb542d code=0x0 > > Syscall: mknod > > > > Any suggestions (other than 'don't do that')? > Unix sockets are definitively possible. I'm using sockets based on unix > files for some of my project and write them to $SNAP_DATA (for daemons, > the daemon creating the socket) and it works well. You may want to try this? > Instead of using an abstract or anonymous socket, use a named socket and put in SNAP_DATA and you won't get the apparmor denial. It's planned to allow applications to create abstract sockets for intra-snap communication, but it hasn't landed yet.
> On mknod, I don't know if we have any plan for enabling this in some > ways. CCing Jamie for this. > mknod is intentionally and explicitly denied. It is planned to allow snaps via seccomp arg filtering policy the ability to create S_IFIFO and S_IFREG files (ie, pipes and regular files, but not character and block devices), but it hasn't landed yet. > > > > I imagine there's a way to configure both apparmor and seccomp for > > snaps, but haven't found it yet. > > https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement > > has some clues > > http://askubuntu.com/questions/796809/add-custom-apparmor-rules-to-snap > > seems on topic > > Should I be looking at the snapd source? (I see there's an apparmor > > interface, but maybe that's internal only...) > > > I don't think we want snaps to ship their own configuration. It's better > to collaborate on a snapd interface that can be reused between snaps, > rather than letting any snap defining its own confinement rules (or said > differently, the confinment may be useless if we allow this). > > Cheers, > Didier > -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
