Overriding seccomp policy: shm_open

Jamie Strandboge jamie at canonical.com
Mon Aug 1 16:34:56 UTC 2016 

On Mon, 2016-08-01 at 07:27 +0200, Simon Fels wrote:
> On 01.08.2016 06:55, Jacob Zimmermann wrote:
> > 
> > Hi
> > 
> > I'm trying to get my hands on snapcraft by building a snap of "Hatari"
> > (Atari ST emulator). I got it working nicely in devmode but it won't run
> > under strict confinement, specifically it gets killed when attempting to
> > execute shm_open().
> > 
> > Based on whatever little information I could gather I tried to override
> > the default policy like so:
> > 
> > apps:
> >   hatari:
> >     command: hatari
> >     plugs: [home, unity7, hatari-permissions]
> > 
> > ...
> > 
> > plugs:
> >   hatari-permissions:
> >     type: old-security
> >     security-override:
> >       syscalls: [shm_open]
> The old-security interface is not available any more. To be able to
> further comment on the problem you hit here it will be good to know for
> what the Hatari emulator wants to use the shm_open syscall.
> 
> > 
> > But no avail, it just won't let it use this syscall. I couldn't find
> > anything in the docs about how is it supposed to be done.
> To allow your snap to use the syscall shm_open it needs to use an
> interface which allows this. Its very likely that in this case there is
> no appropriate interface yet. As stated above we need to first find out
> what the emulator tries to do with shm_open here before we can judge
> further what kind of interface it would need.
> 

shm_open() is allowed in the default policy for seccomp and if the path conforms
to this from the default policy for apparmor, then there should be no issues:

  # App-specific access to files and directories in /dev/shm. We allow file
  # access in /dev/shm for shm_open() and files in subdirectories for open()
  /{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix,

I suspect you need to adjust hatari to use (perhaps conditionally if SNAP env
var is set, up to you) shm_open("snap.hatari.XXXXXX", ...) or similar.

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160801/7c4f9a04/attachment.sig>

More information about the Snapcraft mailing list