<div dir="ltr">Hi Jamie,<div><br></div><div>Thanks for the detailed explanation, it's really helpful!</div><div><br></div><div>However, I am hesitated to package my example files in the snap, just curious, what's the proper way to package a "development snap" which reads user given files and requires root permission? For example, I'd like to package necessary node.js components in a snap for developers to design their node.js based BLE apps, I've add node, bleno and noble modules in a snap, so the idea is to let the users create their own node.js sample apps (under their $HOME) and invoke the node command in my snap to run their sample apps. Since the bleno/noble node modules require root privilege for accessing BLE, I used "sudo mysnap.node <sample_file_in_home>" to run the snap command. But as you pointed out, the fsuid=0 but ouid=1000 which prevents the sample file being read from the snap command?</div><div><br></div><div>Best Regards,</div><div>Tonny</div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 7, 2017 at 1:50 AM, Jamie Strandboge <span dir="ltr"><<a href="mailto:jamie@canonical.com" target="_blank">jamie@canonical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 2017-02-06 at 23:10 +0800, Tonny Tzeng wrote:<br> > Hi,<br> ><br> > The 'home' interface provides non-hidden files access to the snap defined<br> > commands, but what if specific commands need to be run with 'sudo', how can<br> > I read files from my user folder? For example, from below syslog, I run my<br> > snap with 'sudo' to enable the bluetooth, but once I run the snap with<br> > root, it can't access $HOME:<br> ><br> > audit: type=1400 audit(1486391164.744:1219): apparmor="DENIED"<br> > operation="open" profile="snap.iotivity-<wbr>smarthome-demo.node"<br> > name="/home/tzeng/Workspace/<wbr>node-examples/bluetooth/<wbr>central-ess.js"<br> > pid=6991 comm="node" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000<br> ><br> > Any pointers would be very appreciated. Thanks.<br> ><br> <br> </span>What is happening is that the home interface uses an AppArmor rule like this:<br> <br> owner @{HOME}/** rwk,<br> <br> The @{HOME} AppArmor variable expands to include /home/<user> and /root so the<br> file paths aren't an issue, but the 'owner' match requires that the process' uid<br> and the file's uid match, so the issue you are seeing is that the ownership is<br> not matching[1].<br> <br> Keep in mind that while useful, the home interface grants a lot of access to the<br> snap and in general for strict confinement, best practice would have you use<br> SNAP_USER_DATA for data that is specific to a particular user (and use 'sudo -H'<br> instead of 'sudo' so that the $HOME env var is set to /root). For data that is<br> written by root but readable by others, use SNAP_DATA since it accessible by<br> everything in your snap.<br> <br> It appears this is a demo snap-- I suggest putting your example files in your<br> snap (ie, in $SNAP) and have all your commands look for them in $SNAP (you'll<br> need to do this anyway since /home/tzeng/Workspace/node-<wbr>examples/... only exists<br> on your machine). For things that need read/write, put them in SNAP_DATA or<br> SNAP_USER_DATA and have all your commands look for them there. If you want to<br> share data between commands for different users, either put the files in /tmp<br> (it is snap-specific and cleared on reboot) or create a persistent snap-specific<br> shared directory in $SNAP_DATA (eg, mkdir -m 1777 $SNAP_DATA/tmp) and put them<br> there.<br> <br> Hope this helps!<br> <br> [1]In general, it is best practice to avoid processing files that are under<br> another user's control since those files could potentially be used to alter the<br> behavior of the running process<br> <span class="HOEnZb"><font color="#888888"><br> --<br> Jamie Strandboge | <a href="http://www.canonical.com" rel="noreferrer" target="_blank">http://www.canonical.com</a><br> <br> </font></span><br>--<br> Snapcraft mailing list<br> <a href="mailto:Snapcraft@lists.snapcraft.io">Snapcraft@lists.snapcraft.io</a><br> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/snapcraft" rel="noreferrer" target="_blank">https://lists.ubuntu.com/<wbr>mailman/listinfo/snapcraft</a><br> <br></blockquote></div><br></div></div></div>