App denied access to /lib and crashes
jamie at canonical.com
Tue Jun 28 13:21:38 UTC 2016
On Tue, 2016-06-28 at 10:44 +0200, Pawel Stolowski wrote:
> I've been trying to create a snap package for Scid-vs-PC (and old-style
> TCL/TK based app) but have only been able to get it working in devmode.
> In the strict mode it crashes in libtk8.6.so and the segfault appears
> right after a denied access to read "/lib", in dmesg which makes me
> think that tcl/tk doesn't handle such (unexpected) scenario very well.
> When running in the devmode I get:
> [ 4039.752903] audit: type=1400 audit(1467102032.459:56):
> apparmor="ALLOWED" operation="open" profile="snap.scid-vs-pc.scidvspc"
> name="/lib/" pid=18523 comm="tkscid" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> (and the app runs fine).
> I suspect that just making "/lib" readable to my snap would make that
> app happy, so a couple of questions:
> - can I somehow expose "/lib" in read-only mode to my snap under
> "strict" confinement?
> - or can I somehow simulate the presence of "/lib" (and let it be empty)?
Can you file a bug and add the 'snapd-interface' tag? For now you can workaround
this in strict mode by adding to /var/lib/snapd/apparmor/profiles/snap.scid-vs-
/lib/ r, # trailing '/' is important
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.scid-vs-
Then try again. Depending on what the program does, you might have to add
'/usr/lib/', '/usr/local/lib/', etc. Please report all the accesses needed in
the bug and I can get this fixed up.
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the Snapcraft