service with shared libraries
Andrei Porumb
anporumb at microsoft.com
Mon Apr 13 20:04:35 UTC 2015
Hello Jamie,
Thank you for your email.
I would love to edit click_simplesample_...44, I do not believe I can do that, the reason being that click_simplesampleamqp_sum_44 is readonly. I cannot create any files in that folder, I believe that Ubuntu Snappy is on purpose configured to not allow any writes in that folder.
But assuming I would add "/usr/bin/ldd ixr," - would that allow the service to load a shared library? Or that would unblock executing "ldd" from a service context only?
Best Regards,
Andrei Porumb
-----Original Message-----
From: Jamie Strandboge [mailto:jamie at canonical.com]
Sent: Monday, April 13, 2015 11:54 AM
To: Andrei Porumb; snappy-app-devel at lists.ubuntu.com
Subject: Re: service with shared libraries
On 04/13/2015 12:27 PM, Andrei Porumb wrote:
...
>
> Further investigation revealed that in the small script that attempts
> to start the service there cannot be just any command. For example,
> "ldd" cannot be there (if it is, there's going to be a DENIAL
> something like : Apr 12 19:53:10 localhost.localdomain kernel: audit: type=1400 audit(1428868390.904:62):
> apparmor="DENIED" operation="exec" profile="simplesampleamqp_sum_44"
> name="/usr/bin/ldd" pid=2310 comm="sum.sh" requested_mask="x" denied_mask="x"
> fsuid=0 ouid=0). Echo is fine to be in the script...
>
The apparmor policy is not allowing access to the ldd command. I'll update the policy and upload later today to allow this.
In the meantime, after you install your snap, you can adjust
/var/lib/apparmor/profiles/*simplesampleamqp_sum_44 to have this somewhere before the final curl brace (don't forget the comma):
/usr/bin/ldd ixr,
Then run:
$ sudo apparmor_parser -r /var/lib/apparmor/profiles/*simplesampleamqp_sum_44
Note: this change will be removed if you reinstall the snap.
--
Jamie Strandboge http://www.ubuntu.com/
More information about the snappy-app-devel
mailing list