Problems creating snap package for KStars
Jamie Strandboge
jamie at canonical.com
Tue Jul 5 16:15:02 UTC 2016
On Mon, 2016-07-04 at 08:27 +0200, Didier Roche wrote:
> Le 02/07/2016 20:40, Jasem Mutlaq a écrit :
> >
> >
> > 5. dbus calls fail in strict confinement mode.
> I'm ccing Jamie here, he may have a look at them if they make sense to
> add to any interface.
I suspect we'll need a transition interface similar to 'unity7' for KDE apps
since KDE, like all traditional Linux desktops, has a different trust model
(where everything running in your session is trusted) than snappy (where apps
are considered untrusted). As Didier said, get your snap running in --devmode,
then file bugs at https://bugs.launchpad.net/snappy/+filebug adding the 'snapd-
interface' tag and we can work through what is needed.
That said, I predict KDE apps needing kinit and all the various KDE IPC services
and how they (auto)start each other are going to present a real challenge to
have any meaningful security policy (based on experience with profiling KDE apps
and your apparmor logs) and require thoughtful design. We'll know more once
there is a working devmode snap and a bug is filed for it to work in strict
mode.
> > 7. Other apparmor problems (see log below)
> >
> > Here is a link to the files:
> >
> > 1. snapcraft.yaml: http://www.indilib.org/jdownloads/snap/snapcraft.yaml
> > 2. qt5-lunch: http://www.indilib.org/jdownloads/snap/qt5-lunch
> > 3. AppArmor log: http://www.indilib.org/jdownloads/snap/apparmor.txt
> >
> >
> > As you can see from the AppArmor log, there are a lot of calls been
> > made among all the various components, libraries, file system..etc.
> > Even when an executable like indi_simulator_ccd is accessing a
> > dependent library, it says:
> >
> > = AppArmor =
> > Time: Jul 2 20:30:33
> > Log: apparmor="ALLOWED" operation="open"
> > profile="snap.kstars.kstars//null-/snap/kstars/x2/usr/bin/indiserver//null-
> > /snap/kstars/x5/usr/bin/indi_simulator_ccd"
> > name="/snap/kstars/x5/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2"
> > pid=4015 comm="indi_simulator_" requested_mask="r" denied_mask="r"
> > fsuid=1000 ouid=0
> > File: /snap/kstars/x5/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2 (read)
> > Suggestion:
> > * adjust program to read necessary files from $SNAP, $SNAP_DATA or
> > $SNAP_USER_DATA
> >
> > Again, not sure how to adjust program to read from dependent library.
> >
> Same, needing Jamie's feedback on those :)
This file should be allowed by the policy since it is in your $SNAP directory.
I'm a bit puzzled as to why this is showing up in the log. I will note that the
profile in question is 'snap.kstars.kstars//null-
/snap/kstars/x2/usr/bin/indiserver//null-
/snap/kstars/x5/usr/bin/indi_simulator_ccd' which is the complain-mode profile
name for the indi_simulator_ccd process that was launched by indiserver which
was started by something under the snap.kstars.kstars profile. Notice the 'x2'
for the snap's revision for indieserver and the 'x5' for the snap's revision for
indi_simulator_ccd. It seems that that snap was updated from 'x2' to 'x5' while
indieserver was still running?
Regardless, can you file a bug with detailed steps on how to reproduce and we
can work this out there.
Thanks!
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20160705/8889443a/attachment.sig>
More information about the Snapcraft
mailing list