SNAP_USER_COMMON

Tue Aug 2 22:38:55 UTC 2016

On 08/02/2016 07:22 AM, Jamie Strandboge wrote:
> On Tue, 2016-08-02 at 09:04 +0200, Didier Roche wrote:
>> Le 02/08/2016 à 08:12, Vasilisc a écrit :
>>> 02.08.2016 09:00, Didier Roche пишет:
>>>> Le 02/08/2016 à 07:45, Vasilisc a écrit :
>>>>>
>>>>> test snap raise error
>>>>> -------------------------
>>>>> echo "Writing to $SNAP_USER_COMMON"
>>>>> mkdir -p $SNAP_USER_COMMON/platform
>>>>> echo "hello common" > $SNAP_USER_COMMON/common.txt
>>>>> --------------
>>>>> grep -F audit syslog
>>>>>
>>>>> Aug  2 08:34:16 vb kernel: [ 2622.276193] audit: type=1400
>>>>> audit(1470116056.762:34): apparmor="ALLOWED" operation="mkdir"
>>>>> profile="snap.test2.test2" name="/home/vasilisc/snap/test2/common/"
>>>>> pid=4971 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1000
>>>>> ouid=1000
>>>> Hey Vasilisc,
>>>>
>>>> where do you see an error in the above trace? Apparmor says "ALLOWED",
>>>> so the mkdir call wasn't blocked and work as expected, or did you notice
>>>> not having this directory and file created after those calls?
>>>>
>>>> Didier
>>>>
>>> Code
>>> echo "Writing to $SNAP_USER_COMMON"
>>> mkdir -p $SNAP_USER_COMMON
>>> --------------------
>>>
>>> Aug  2 09:08:42 vb kernel: [ 4688.252234] audit: type=1400
>>> audit(1470118122.727:44): apparmor="DENIED" operation="mkdir"
>>> profile="snap.test2.test2" name="/home/vasilisc/snap/test2/common/"
>>> pid=5802 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1000
>>> ouid=1000
>>>
>> Mind opening a bug against snappy on launchpad with your snapcraft.yaml,
>> shell script and this output? I think the apparmor profile may need to
>> be adjusted to write to $SNAP_USER_COMMON.
> Please file a bug, yes, but the bug is that 'snap run' is not creating the
> directory. The snap should not be expected to have to do this. The regression
> looks to have been introduced in https://github.com/snapcore/snapd/pull/1293 or
> perhaps you are using an old version of snapd and a new version of snap-confine? 
> Regardless, please file a bug.
>
> Thanks!
`snap run` does indeed have code to do this, but it doesn't seem that a
version of snapd actually utilizing `snap run` has been released yet.
It's my understanding that the version of snapd that would be using
`snap run` would also be accompanied by the files within /snap/bin/
being symlinks instead of scripts, which isn't yet merged[1]. Of course,
I may be wrong. Right now the /snap/bin/foo files are still scripts that
shell out to ubuntu-core-launcher, which unless someone else added it,
doesn't have code to do this. I didn't add it because I thought we'd
have snap run soon, but that seemed to be blocked on a stable OS snap.
Michael or Gustavo, do you have any more information on that? Should we
add this logic to u-c-l while we're waiting?

For more information, this test[2] reflects the current capabilities as
I understand them. Note that SNAP_USER_COMMON is not tested yet, as
`snap run` isn't used (thus the directories are not created).

[1]: https://github.com/snapcore/snapd/pull/1254
[2]:
https://github.com/snapcore/snapd/blob/master/tests/main/writable-areas/task.yaml

-- 
Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160802/c0ec93c1/attachment.sig>