Forbidden sqlite3 system call

[Simon Stürz]

Hello everyone!

I am trying quit a while to publish our IoT server guhIO in the snappy 
store. Unfortunately that was not possible so far
because I had to use the security template "unconfined" (which is not a 
good idea, but made the development process easier).

The service guhd is written in Qt and uses the sqlite3 lib to write a 
log database.
Now following happens:
- The service starts as root
- The service opens the database connection
- The db will be created in the snappy app data path: 
/var/lib/apps/guhio.sideload/IGKUccPPYHOe/guhd.log
- The whole service crashes if he tries to create the database with 
following code:

   QSqlQuery query;
   query.exec("CREATE TABLE metadata (key varchar(10), data varchar(40));");

So I checked the syslog:

$ sudo snappy-debug.security scanlog

= Seccomp =
Time: Nov 23 12:35:33
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1307 comm="guhd" 
exe="/apps/guhio.sideload/IGKUccPPYHOe/usr/bin/guhd" sig=31 
arch=40000028 207(fchown32) compat=0 ip=0x765fe836 code=0x0
Syscall: fchown32
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead 
of 'cp -a')
* adjust program to not use 'fchown32'

The strange thing: this code works on all systems (Debian Wheezy, Jessie 
and Ubuntu 12.04 - 15.10 amd64, i386, armhf) except Ubuntu Core. :(

So I tried to create the db file using QFile, changed the permissions 
(in the code) before calling the sqlquery command, everything worked 
until....
query.exec(...) -> bad system call.

What could cause this behaviour?
The suggestion: "adjust program to not use 'fchown32'" would mean: not 
using sqlite3 for me...? That is not an option currently.
Is there anybody else using sqlite3 + Qt in a snapp?
Is there a possibility to use security templates or app armor to solve 
this issue?
Why it is forbidden to call a fchown32() in the own snapp app data path? 
I understand that the call should be unnecessary, but forbidden?

I hope you guys can help me! :)

Cheers,
Simon