Cliqz Snap
Didier Roche
didrocks at ubuntu.com
Mon Nov 14 08:11:44 UTC 2016
Le 13/11/2016 à 19:04, Chris a écrit :
> On Sun, 2016-11-13 at 09:17 -0600, Chris wrote:
>> On Sun, 2016-11-13 at 10:41 +0800, XiaoGuo Liu wrote:
>>> Hi Chris,
>>>
>>> You may find the tips at https://github.com/snapcore/snapd/wiki/Sec
>>> ur
>>> ity. You may use the command like:
>>>
>>> $ scmp_sys_resolver 983045
>>> set_tls
>>> to find out the security violation.
>>>
>>> Best regards,
>>> XiaoGuo
>>>
>> Thank you XiaoGuo, so in my case I have syscall=272. Running
>>
>> chris at localhost:~$ scmp_sys_resolver 272
>> unshare
>>
>> I've installed snappy-debug but can't seem to get any kind of output
>> when run. Maybe I'm using the wrong commands?
>>
> Replying to my own post. I wasn't running the snap whenever I ran
>
> sudo snappy-debug.security scanlog --all-entries cliqz
>
> Once I executed the snap from the menu with the above running I got
>
> chris at localhost:~$ sudo snappy-debug.security scanlog --all-entries
> cliqz
> kernel.printk_ratelimit = 0
> = Seccomp =
> Time: Nov 13 11:49:59
> Log: auid=1000 uid=1000 gid=1000 ses=3 pid=29796 comm="cliqz"
> exe="/snap/cliqz/6/opt/CLIQZ/CLIQZ" sig=31 arch=c000003e 272(unshare)
> compat=0 ip=0x7ffacd899c19 code=0x0
> Syscall: unshare
>
> So, now it seems as there is a seccomp violation stopping the snap from
> running, at least that's what it appears to me to be. Where would I go
> from here? Contact the snap author?
Indeed, the snap author didn't set the confinement rules on his app. The
snap should then be in devmode (but not published in the stable
channel), to not create user frustration executing something which fails.
Do you mind contacting upstream so that they work on confinement?
Thanks!
Didier
More information about the Snapcraft
mailing list