Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?

Dan Kegel dank at kegel.com
Mon Oct 24 19:52:58 UTC 2016


I'm trying to snap a largish package; works fine in devmode,
but as the app likes to use unix sockets and fifos, it fails in
confined mode with

$ sudo /snap/bin/snappy-debug.security scanlog
= AppArmor =
Time: Oct 24 11:41:09
Log: apparmor="DENIED" operation="sendmsg" profile="snap.foo" pid=8536
comm="foo" family="unix" sock_type="dgram" protocol=0
requested_mask="send" denied_mask="send" addr=none
peer_addr="@6E7669646961356165373434376600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
peer="unconfined"

= Seccomp =
Time: Oct 24 11:41:09
Log: auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=8536
comm="foo" exe="/snap/foo/x7/bin/foo" sig=31 arch=c000003e 133(mknod)
compat=0 ip=0x7f17f6fb542d code=0x0
Syscall: mknod

Any suggestions (other than 'don't do that')?
I imagine there's a way to configure both apparmor and seccomp for
snaps, but haven't found it yet.
https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
has some clues
http://askubuntu.com/questions/796809/add-custom-apparmor-rules-to-snap
seems on topic
Should I be looking at the snapd source?  (I see there's an apparmor
interface, but maybe that's internal only...)




More information about the Snapcraft mailing list