Re: Provisional snap for DUB (D language package/build manager)

Tue, 01 Nov 2016 14:44:21 -0700 


El 01/11/16 a las 23:31, Joseph Rushton Wakeling escribió:

On 27/10/16 22:13, Joseph Rushton Wakeling wrote:

On 27/10/16 08:37, Didier Roche wrote:

I would look at /var/log/syslogs. Apparmor and seccomp denials are
listed there. Note that if you didn't already, you should really start
developping your snap in devmode. That way, it will get confinment out
of the equasion to get your relocatable code and dependencies working.
Then, we can turn on confinement and figure out those issues to be able
to publish in the stable channel.



Yea, I probably should have started with devmode.  Thanks for the 
advice about

syslogs; I'll check it out and see what I can find.



OK, so it looks like apparmor was indeed responsible.  The loglines in 
question:



Oct 30 17:50:50 computername kernel: [ 9532.992875] audit: type=1400 
audit(1477846250.853:43): apparmor="DENIED" operation="link" 
profile="snap.dub.dub" 
name="/home/username/code/D/dgraph/build/dgraph_graphtest" pid=22464 
comm="dub" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/home/username/code/D/dgraph/.dub/build/application-debug-linux.posix-x86_64-ldc_0-B7AFC7F4AA486AA98C5445F91F5653DB/dgraph_graphtest"
Oct 30 17:50:50 computername kernel: [ 9533.035303] audit: type=1326 
audit(1477846250.897:44): auid=4294967295 uid=1000 gid=1000 
ses=4294967295 pid=22464 comm="dub" exe="/snap/dub/x1/bin/dub" sig=31 
arch=c000003e syscall=92 compat=0 ip=0x7f9b72d13717 code=0x0



I'm not experienced with apparmor, so could someone explain exactly 
what this means?  (I get the general idea, but the specifics would be 
useful to understand precisely.)



If this is x86_64, everything is aligned with the world, syscall 92 is 
chown. A useful tool here can help you out, and luckily there is one, 
run `snap install snappy-debug` and it will do some nice things to 
figure out what is going on wth these apparmor and seccomp blockers.





In particular, is there an obvious reason why this might be showing up 
with the dub snap, when the earlier ldc2 snap didn't have this 
problem?  I would guess because the ldc2 instance used by the 
snap-packaged dub is internal to the snap and does not benefit from 
the home-directory interface that dub itself gets?

It seems to be just a dub problem.




Setting the containment to devmode removes the problem, but it would 
be nice to be able to have strict confinement earlier rather than later.



If this is the problem and you can patch the software then removing the 
chown could work, I am CCing Jamie for other ideas that could come up.


--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft






















					Reply via email to