Dbus system config for framework and app snaps

Jamie Strandboge jamie at canonical.com
Mon Jun 1 20:41:04 UTC 2015 

On 06/01/2015 01:51 PM, sergey at devicehive.com wrote:
> Thank you Jamie,
> 
> those links are very helpful and I was able to do some progress with my snaps.
> On snappy vm (amd64) my framework snap installs and registers on dbus, I can
> also see dbus config generated for it.
> 
> But today I was doing more tests on RPi2 image (latest, 15 Apr build) and I got
> permission error after snap install. I have tried the package-dir-fwk example
> but got the same error:
> 
> Jun  1 17:39:09 localhost kernel: [ 3787.848606] audit: type=1400
> audit(1433180349.509:13): apparmor="STATUS" operation="profile_load"
> profile="unconfined" name="hello-dbus-fwk_srv_1.0.0" pid=1786 comm="apparmor_parser"
> Jun  1 17:39:09 localhost systemd[1]: Reloading.
> Jun  1 17:39:09 localhost systemd[1]: Started hello-dbus-fwk test service.
> Jun  1 17:39:09 localhost systemd[1]: Starting hello-dbus-fwk test service...
> Jun  1 17:39:09 localhost dbus_service.start[1803]: FAIL:
> org.freedesktop.DBus.Error.AccessDenied: Connection ":1.26" is not allowed to
> own the service "com.canonical.hello-dbus-fwk" due to security policies in the
> configuration file
> Jun  1 17:39:10 localhost systemd[1]: hello-dbus-fwk_srv_1.0.0.service: main
> process exited, code=exited, status=1/FAILURE
> Jun  1 17:39:10 localhost systemd[1]: Unit hello-dbus-fwk_srv_1.0.0.service
> entered failed state.
> Jun  1 17:39:10 localhost systemd[1]: hello-dbus-fwk_srv_1.0.0.service failed.
> 
> I am using last version of snappy-tools while building snap.
> Is there something I'm missing?
> 
> Below is my system info:
> 
> (RaspberryPi2)ubuntu at localhost:~$ sudo snappy list
> Name           Date       Version Developer
> ubuntu-core    2015-04-10 4
> hello-dbus-fwk 2015-06-01 1.0.0
> pi2            2015-04-15 0.11    lool
> 

2015-04-10 for ubuntu-core is too old and you'll want a newer ubuntu-core.
CC'ing Loic to comment on where to find it.

> (RaspberryPi2)ubuntu at localhostlsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:    Ubuntu Vivid Vervet (development branch)
> Release:        15.04
> Codename:       vivid
> 
> 
> 
> -Sergey
> 
> 
> On 29 May 2015 at 12:31, Jamie Strandboge wrote:
> 
>> On 05/29/2015 10:29 AM, Sergey Demyanov wrote:
>> > Hi everyone,
>> > 
>> > 
>> > I wanted to reiterate question on the way snap developers would configure dbus
>> > permissions if needed. Since we have to use System bus for snaps by default we
>> > cannot own and register objects on the bus. 
>> > As of now the only way is to copy own .config file
>> > into /etc/dbus-1/system.d/ but in recent builds that partition is read only and
>> > remounting seems like a big hack. 
>> > May be it is possible to allow some namespace prefix for snaps to own or include
>> > config into snap package and make snappy apply it during install?
>> > 
>> > Should I open bug for this or first discuss here the way to do it? 
>> 
>> This was implemented just before 15.04 was released via 'bus-name' in the
>> package.yaml for frameworks[1]. Under the hood, when a framework snap service
>> specifies 'bus-name', snappy will update the system service to include BusName=
>> and Type=dbus and snappy will also create simple bus policy in
>> /etc/dbus-1/system.d. You can see 'hello-dbus' from the snappy-examples[2] for a
>> working example, or install them on your system:
>> 
>> $ sudo snappy install hello-dbus-fwk
>> $ sudo snappy install hello-dbus-app
>> $ hello-dbus-app.client
>> PASS
>> 
>> [1]https://developer.ubuntu.com/en/snappy/guides/frameworks/
>> [2]http://bazaar.launchpad.net/~snappy-dev/snappy-hub/snappy-examples/files/head:/hello-dbus/
>> 
>> -- 
>> Jamie Strandboge                 http://www.ubuntu.com/
>> 
>> 
> 
>   
> 
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150601/95f71b25/attachment-0001.pgp>

More information about the snappy-devel mailing list