Debugging `confinement: strict` issues

Reinhard Pointner reinhard.pointner at gmail.com
Tue Jun 7 15:27:58 UTC 2016


1.
Alright, home not working by default right now explains the first issue.

Here's the syslog. Makes sense:
audit[3155]: AVC apparmor="DENIED" operation="rename_src"
profile="snap.filebot.filebot" name="/home/reinhard/Documents/test.mp3"
pid=3155 comm="java" requested_mask="wrd" denied_mask="wrd" fsuid=1000
ouid=1000


2.
The network issue seems more intricate.

So here's the Java stack trace for a thread that deadlocks:
java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:928)
java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1323)
java.net.InetAddress.getAllByName0(InetAddress.java:1276)
java.net.InetAddress.getAllByName(InetAddress.java:1192)
java.net.InetAddress.getAllByName(InetAddress.java:1126)
java.net.InetAddress.getByName(InetAddress.java:1076)
sun.net.www.protocol.http.HttpURLConnection$5.run(HttpURLConnection.java:959)

These snippets from the syslog might be relevant:

Fails to access some /proc stuff:
audit[3207]: AVC apparmor="DENIED" operation="open"
profile="snap.filebot.filebot" name="/proc/3206/net/if_inet6" pid=3207
comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit[3207]: AVC apparmor="DENIED" operation="open"
profile="snap.filebot.filebot" name="/proc/3206/net/ipv6_route" pid=3207
comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit[3207]: AVC apparmor="DENIED" operation="open"
profile="snap.filebot.filebot" name="/proc/3206/net/if_inet6" pid=3207
comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

No idea what this does:
audit: type=1326 audit(1465311994.620:61): auid=4294967295 uid=1000
gid=1000 ses=4294967295 pid=3233 comm="java"
exe="/snap/filebot/100001/oracle-java/jre/bin/java" sig=31 arch=c000003e
syscall=49 compat=0 ip=0x7f3a02393837 code=0x0

The Java stack trace says something about IPv4 but the syslog says things
about IPv6. This is a bit strange.

Cheers,
Reinhard


On 7 June 2016 at 23:01, Zygmunt Krynicki <zygmunt.krynicki at canonical.com>
wrote:

> You should see useful hints in the system log (use journalctl to see
> it). Most of the errors boil down to one of two cases: forbidden
> system call (the message will just contain the system call number
> along with some techno babble) and forbidden filesystem path (the
> message will indicate the path, the word DENIED and the operation that
> was requested but got denied).
>
> If you find those you know where to start. Please share your findings.
>
> Mounted network shares won't be visible AFAIR. Home will be
> auto-connected as of the next version but for now you need to connect
> it manually with "snap connect yoursnapname:home ubuntu-core:home".
>
> Best regards.
> ZK
>
> On Tue, Jun 7, 2016 at 4:56 PM, Reinhard Pointner
> <reinhard.pointner at gmail.com> wrote:
> > Hi all,
> >
> > Does anyone have any hints on how to debug issues that only happen in
> > non-devmode? Like logging when certain "interfaces" are used?
> >
> > I'm working on snapping a Java application, and I've got `plugs: [home,
> > network]` in my snapcraft.yaml but the app can't write any files in the
> user
> > home (home plug should give the app write access right? also, what about
> > network shares mounted by the user?). Also, when making http requests
> that
> > thread will just deadlock (no exceptions or and timeouts not respected,
> so i
> > suspect lower level network api issues).
> >
> > Cheers,
> > Reinhard
> >
> >
> > --
> > Snapcraft mailing list
> > Snapcraft at lists.ubuntu.com
> > Modify settings or unsubscribe at:
> > https://lists.ubuntu.com/mailman/listinfo/snapcraft
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160607/96c6bbd6/attachment.html>


More information about the Snapcraft mailing list