service with shared libraries

Jamie Strandboge jamie at canonical.com
Mon Apr 13 20:21:56 UTC 2015 

On 04/13/2015 03:04 PM, Andrei Porumb wrote:
> Hello Jamie,
> 
> 	Thank you for your email. 
> 
> I would love to edit click_simplesample_...44, I do not believe I
> can do that, the reason being that click_simplesampleamqp_sum_44 is
> readonly. I cannot create any files in that folder, I believe that
> Ubuntu Snappy is on purpose configured to not allow any writes in
> that folder.
> 
You would have to alter this file as an admin. Eg, on the device:
$ sudo vi /var/lib/apparmor/profiles/*simplesampleamqp_sum_44

However, I just uploaded the fix so it will be on the next devel-proposed image
anyway.

> But assuming I would add "/usr/bin/ldd ixr," - would that allow the
> service to load a shared library? Or that would unblock executing
> "ldd" from a service context only?
> 
I adjusted the default template to allow any app to execute the 'ldd' command.
Apps are already allowed to load a shared library from their app-specific
directories.

> Best Regards,
> Andrei Porumb
> 
> -----Original Message-----
> From: Jamie Strandboge [mailto:jamie at canonical.com] 
> Sent: Monday, April 13, 2015 11:54 AM
> To: Andrei Porumb; snappy-app-devel at lists.ubuntu.com
> Subject: Re: service with shared libraries
> 
> On 04/13/2015 12:27 PM, Andrei Porumb wrote:
> ...
>>
>> Further investigation revealed that in the small script that attempts 
>> to start the service there cannot be just any command. For example, 
>> "ldd" cannot be there (if it is, there's going to be a DENIAL 
>> something like : Apr 12 19:53:10 localhost.localdomain kernel: audit: type=1400 audit(1428868390.904:62):
>> apparmor="DENIED" operation="exec" profile="simplesampleamqp_sum_44"
>> name="/usr/bin/ldd" pid=2310 comm="sum.sh" requested_mask="x" denied_mask="x"
>> fsuid=0 ouid=0). Echo is fine to be in the script...
>>
> 
> The apparmor policy is not allowing access to the ldd command. I'll update the policy and upload later today to allow this.
> 
> In the meantime, after you install your snap, you can adjust
> /var/lib/apparmor/profiles/*simplesampleamqp_sum_44 to have this somewhere before the final curl brace (don't forget the comma):
> /usr/bin/ldd ixr,
> 
> Then run:
> $ sudo apparmor_parser -r /var/lib/apparmor/profiles/*simplesampleamqp_sum_44
> 
> Note: this change will be removed if you reinstall the snap.
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20150413/c9f9ac31/attachment.pgp>

More information about the snappy-app-devel mailing list