AW: apparmor profile for snap package

Marco Tangl Marco.Tangl at dewetron.com
Fri Apr 1 15:25:17 UTC 2016


Hi Zygmunt,

many thanks for this information!!

BR
Marco

-----Ursprüngliche Nachricht-----
Von: Zygmunt Krynicki [mailto:zygmunt.krynicki at canonical.com] 
Gesendet: Freitag, 01. April 2016 12:47
An: Marco Tangl <Marco.Tangl at dewetron.com>
Cc: snappy-devel at lists.ubuntu.com
Betreff: Re: apparmor profile for snap package

Hey Marco

I'm sorry for your issues. This area will be wholly replaced by interfaces. We will soon switch over from old apparmor/seccomp code to one that is fully backed by interfaces. Until then there is little point in inspecting this problem as all of the implementation is different.

Please hold on.

Best regards
ZK

On Thu, Mar 31, 2016 at 4:49 PM, Marco Tangl <Marco.Tangl at dewetron.com> wrote:
> Hi all,
>
>
>
> unfortunately I am not able to change the apparmor profile for my 
> generated snap packages, targeting snappy Core 16.04 
> (amd64-all-snap.img from
> 04-Feb-2016)
>
>
>
> I generated 2 snaps with different  snapraft.yaml files, and compared 
> the resulting  appamor_package_profile located in
>
> /var/lib/snappy/apparmor/profiles/packagename.sideload_XXXX.
>
>
>
> Result:
>
> The file stays the same, no matter what I adjusted in my .yaml files …..
>
>
>
> ##############
>
> 1st yaml (default permissions):
>
>>
> apps:
>
>   my_server:
>
>     command: bin/my_server.sh
>
>     daemon: simple
>
>
>
> parts:
>
>>
>
>
> ############
>
> 2nd yaml (enhanced permissions):
>
>>
> apps:
>
>   my_server:
>
>     command: bin/my_server.sh
>
>     daemon: simple
>
>     plugs: [srv]
>
>
>
> plugs:
>
>   srv:
>
>     caps:
>
>       - network-listener
>
>       - network-service
>
>       - network-management
>
>
>
>     security-override:
>
>       properties:
>
>         read-paths:
>
>           - /run/udev/data/*
>
>           - /etc/network/interfaces.d/**
>
>         write-paths:
>
>           - /dev/ttyS0
>
>
>
> parts:
>
>>
>
>
> With the “write-paths” I want to allow my server application to  
> access the serial port, not sure if this is ok that way??
>
> I just don’t want to execute the “snappy hw-assign” command on my 
> destination system.
>
>
>
> Hope someone can help me further!?
>
> Many thanks in advance,
>
>
>
> Marco
>
>
> --
> snappy-devel mailing list
> snappy-devel at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/snappy-devel
>


More information about the snappy-devel mailing list