Which interface exposes user folder to root

Jamie Strandboge jamie at canonical.com
Mon Feb 6 17:50:46 UTC 2017


On Mon, 2017-02-06 at 23:10 +0800, Tonny Tzeng wrote:
> Hi,
> 
> The 'home' interface provides non-hidden files access to the snap defined
> commands, but what if specific commands need to be run with 'sudo', how can
> I read files from my user folder? For example, from below syslog, I run my
> snap with 'sudo' to enable the bluetooth, but once I run the snap with
> root, it can't access $HOME:
> 
> audit: type=1400 audit(1486391164.744:1219): apparmor="DENIED"
> operation="open" profile="snap.iotivity-smarthome-demo.node"
> name="/home/tzeng/Workspace/node-examples/bluetooth/central-ess.js"
> pid=6991 comm="node" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
> 
> Any pointers would be very appreciated. Thanks.
> 

What is happening is that the home interface uses an AppArmor rule like this:

owner @{HOME}/** rwk,

The @{HOME} AppArmor variable expands to include /home/<user> and /root so the
file paths aren't an issue, but the 'owner' match requires that the process' uid
and the file's uid match, so the issue you are seeing is that the ownership is
not matching[1].

Keep in mind that while useful, the home interface grants a lot of access to the
snap and in general for strict confinement, best practice would have you use
SNAP_USER_DATA for data that is specific to a particular user (and use 'sudo -H'
instead of 'sudo' so that the $HOME env var is set to /root). For data that is
written by root but readable by others, use SNAP_DATA since it accessible by
everything in your snap.

It appears this is a demo snap-- I suggest putting your example files in your
snap (ie, in $SNAP) and have all your commands look for them in $SNAP (you'll
need to do this anyway since /home/tzeng/Workspace/node-examples/... only exists
on your machine). For things that need read/write, put them in SNAP_DATA or
SNAP_USER_DATA and have all your commands look for them there. If you want to
share data between commands for different users, either put the files in /tmp
(it is snap-specific and cleared on reboot) or create a persistent snap-specific 
shared directory in $SNAP_DATA (eg, mkdir -m 1777 $SNAP_DATA/tmp) and put them
there.

Hope this helps!

[1]In general, it is best practice to avoid processing files that are under
another user's control since those files could potentially be used to alter the
behavior of the running process

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170206/0d7cde63/attachment.sig>


More information about the Snapcraft mailing list