Configuring apparmor / seccomp for a snap to allow sendmsg and mkfifo?

Jamie Strandboge jamie at canonical.com
Tue Oct 25 13:33:32 UTC 2016 

On Tue, 2016-10-25 at 08:24 +0200, Didier Roche wrote:
> Le 24/10/2016 à 21:52, Dan Kegel a écrit :
> > 
> > I'm trying to snap a largish package; works fine in devmode,
> > but as the app likes to use unix sockets and fifos, it fails in
> > confined mode with
> > 
> > $ sudo /snap/bin/snappy-debug.security scanlog
> > = AppArmor =
> > Time: Oct 24 11:41:09
> > Log: apparmor="DENIED" operation="sendmsg" profile="snap.foo" pid=8536
> > comm="foo" family="unix" sock_type="dgram" protocol=0
> > requested_mask="send" denied_mask="send" addr=none
> > peer_addr="@6E76696469613561653734343766000000000000000000000000000000000000
> > 00000000000000000000000000000000000000000000000000000000000000"
> > peer="unconfined"
> > 
> > = Seccomp =
> > Time: Oct 24 11:41:09
> > Log: auid=4294967295 uid=1001 gid=1001 ses=4294967295 pid=8536
> > comm="foo" exe="/snap/foo/x7/bin/foo" sig=31 arch=c000003e 133(mknod)
> > compat=0 ip=0x7f17f6fb542d code=0x0
> > Syscall: mknod
> > 
> > Any suggestions (other than 'don't do that')?
> Unix sockets are definitively possible. I'm using sockets based on unix
> files for some of my project and write them to $SNAP_DATA (for daemons,
> the daemon creating the socket) and it works well. You may want to try this?
> 
Instead of using an abstract or anonymous socket, use a named socket and put in
SNAP_DATA and you won't get the apparmor denial. It's planned to allow
applications to create abstract sockets for intra-snap communication, but it
hasn't landed yet.

> On mknod, I don't know if we have any plan for enabling this in some
> ways. CCing Jamie for this.
> 
mknod is intentionally and explicitly denied. It is planned to allow snaps via
seccomp arg filtering policy the ability to create S_IFIFO and S_IFREG files
(ie, pipes and regular files, but not character and block devices), but it
hasn't landed yet.

> > 
> > I imagine there's a way to configure both apparmor and seccomp for
> > snaps, but haven't found it yet.
> > https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
> > has some clues
> > http://askubuntu.com/questions/796809/add-custom-apparmor-rules-to-snap
> > seems on topic
> > Should I be looking at the snapd source?  (I see there's an apparmor
> > interface, but maybe that's internal only...)
> > 
> I don't think we want snaps to ship their own configuration. It's better
> to collaborate on a snapd interface that can be reused between snaps,
> rather than letting any snap defining its own confinement rules (or said
> differently, the confinment may be useless if we allow this).
> 
> Cheers,
> Didier
> 
-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20161025/c0ca692a/attachment.sig>

More information about the Snapcraft mailing list