service with shared libraries

Andrei Porumb anporumb at
Mon Apr 13 20:04:35 UTC 2015

Hello Jamie,

	Thank you for your email. 

	I would love to edit click_simplesample_...44, I do not believe I can do that, the reason being that click_simplesampleamqp_sum_44 is readonly. I cannot create any files in that folder, I believe that Ubuntu Snappy is on purpose configured to not allow any writes in that folder. 

	But assuming I would add "/usr/bin/ldd ixr," - would that allow the service to load a shared library? Or that would unblock executing "ldd" from a service context only?

Best Regards,
Andrei Porumb

-----Original Message-----
From: Jamie Strandboge [mailto:jamie at] 
Sent: Monday, April 13, 2015 11:54 AM
To: Andrei Porumb; snappy-app-devel at
Subject: Re: service with shared libraries

On 04/13/2015 12:27 PM, Andrei Porumb wrote:
> Further investigation revealed that in the small script that attempts 
> to start the service there cannot be just any command. For example, 
> "ldd" cannot be there (if it is, there's going to be a DENIAL 
> something like : Apr 12 19:53:10 localhost.localdomain kernel: audit: type=1400 audit(1428868390.904:62):
> apparmor="DENIED" operation="exec" profile="simplesampleamqp_sum_44"
> name="/usr/bin/ldd" pid=2310 comm="" requested_mask="x" denied_mask="x"
> fsuid=0 ouid=0). Echo is fine to be in the script...

The apparmor policy is not allowing access to the ldd command. I'll update the policy and upload later today to allow this.

In the meantime, after you install your snap, you can adjust
/var/lib/apparmor/profiles/*simplesampleamqp_sum_44 to have this somewhere before the final curl brace (don't forget the comma):
/usr/bin/ldd ixr,

Then run:
$ sudo apparmor_parser -r /var/lib/apparmor/profiles/*simplesampleamqp_sum_44

Note: this change will be removed if you reinstall the snap.

Jamie Strandboge       

More information about the snappy-app-devel mailing list