Debugging `confinement: strict` issues
Zygmunt Krynicki
zygmunt.krynicki at canonical.com
Tue Jun 7 16:05:12 UTC 2016
On Tue, Jun 7, 2016 at 5:27 PM, Reinhard Pointner
<reinhard.pointner at gmail.com> wrote:
> 1.
> Alright, home not working by default right now explains the first issue.
>
> Here's the syslog. Makes sense:
> audit[3155]: AVC apparmor="DENIED" operation="rename_src"
> profile="snap.filebot.filebot" name="/home/reinhard/Documents/test.mp3"
> pid=3155 comm="java" requested_mask="wrd" denied_mask="wrd" fsuid=1000
> ouid=1000
>
>
> 2.
> The network issue seems more intricate.
>
> So here's the Java stack trace for a thread that deadlocks:
> java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
> java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:928)
> java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1323)
> java.net.InetAddress.getAllByName0(InetAddress.java:1276)
> java.net.InetAddress.getAllByName(InetAddress.java:1192)
> java.net.InetAddress.getAllByName(InetAddress.java:1126)
> java.net.InetAddress.getByName(InetAddress.java:1076)
> sun.net.www.protocol.http.HttpURLConnection$5.run(HttpURLConnection.java:959)
>
> These snippets from the syslog might be relevant:
>
> Fails to access some /proc stuff:
> audit[3207]: AVC apparmor="DENIED" operation="open"
> profile="snap.filebot.filebot" name="/proc/3206/net/if_inet6" pid=3207
> comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> audit[3207]: AVC apparmor="DENIED" operation="open"
> profile="snap.filebot.filebot" name="/proc/3206/net/ipv6_route" pid=3207
> comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> audit[3207]: AVC apparmor="DENIED" operation="open"
> profile="snap.filebot.filebot" name="/proc/3206/net/if_inet6" pid=3207
> comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Those will go away after you add the "network-bind" plug as instructed below.
> No idea what this does:
> audit: type=1326 audit(1465311994.620:61): auid=4294967295 uid=1000 gid=1000
> ses=4294967295 pid=3233 comm="java"
> exe="/snap/filebot/100001/oracle-java/jre/bin/java" sig=31 arch=c000003e
> syscall=49 compat=0 ip=0x7f3a02393837 code=0x0
This is syscall 49 -- aka bind, add the network-bind plug to your app
and you should be good to go.
After those two you should be good to go.
Best regards
ZK
More information about the Snapcraft
mailing list