[Bug 1849753] [NEW] AppArmor profile prohibits classic snap from inheriting file descriptors

Thu, 24 Oct 2019 18:42:06 -0700 

Public bug reported:

For example, with the ‘node’ classic snap:

$ touch /tmp/test.js
$ /snap/bin/node
Welcome to Node.js v12.13.0.
Type ".help" for more information.
> fd = fs.openSync("/tmp/test.js")
21
> child_process.execFileSync('/snap/bin/node', {stdio: [fd, 'inherit', 
> 'inherit']})
events.js:187
      throw er; // Unhandled 'error' event
      ^

Error: EACCES: permission denied, read
Emitted 'error' event on ReadStream instance at:
    at internal/fs/streams.js:167:12
    at FSReqCallback.wrapper [as oncomplete] (fs.js:470:5) {
  errno: -13,
  code: 'EACCES',
  syscall: 'read'
}
Thrown:
Error: Command failed: /snap/bin/node
    at checkExecSyncError (child_process.js:621:11)
    at Object.execFileSync (child_process.js:639:15) {
  status: 1,
  signal: null,
  output: [ null, null, null ],
  pid: 30020,
  stdout: null,
  stderr: null
}
> .exit
$ dmesg
…
[69583.236304] audit: type=1400 audit(1571966467.652:672): apparmor="DENIED" 
operation="file_inherit" profile="/snap/snapd/4992/usr/lib/snapd/snap-confine" 
name="/tmp/test.js" pid=30020 comm="snap-confine" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=1000

This breaks all sorts of things.  I ran into this when trying to use
prettier-emacs with the ‘emacs’ and ‘node’ classic snaps.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: snapd 2.41+19.10.1
ProcVersionSignature: Ubuntu 5.3.0-19.20-lowlatency 5.3.1
Uname: Linux 5.3.0-19-lowlatency x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.20.11-0ubuntu9
Architecture: amd64
CurrentDesktop: GNOME
Date: Thu Oct 24 18:07:19 2019
EcryptfsInUse: Yes
InstallationDate: Installed on 2016-02-19 (1343 days ago)
InstallationMedia: Ubuntu-GNOME 16.04 LTS "Xenial Xerus" - Alpha amd64 
(20160218)
SourcePackage: snapd
UpgradeStatus: Upgraded to focal on 2019-06-23 (123 days ago)

** Affects: snapd (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug focal wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849753

Title:
  AppArmor profile prohibits classic snap from inheriting file
  descriptors

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1849753/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to