Where to save stuff (in snap-agnostic way)
Luca Dionisi
luca.dionisi at gmail.com
Sat Feb 4 11:20:35 UTC 2017
The results are the very same (apart for "namespace") on a real
machine, so the LXD container shouldn't be the cause.
On Sat, Feb 4, 2017 at 12:14 PM, Luca Dionisi <luca.dionisi at gmail.com> wrote:
> More in context:
>
> In a classic Ubuntu (but inside a LXD container) I run:
> ubuntu at thorough-bear:~$ hello-world.sh
>
> This gives me a bash inside a snap environment.
> There I run:
> bash-4.3$ mkfifo --help
> bash: /usr/bin/mkfifo: Permission denied
>
> If I run dmesg (outside the snap environment) it reports:
>
> [94156.909950] audit: type=1400 audit(1486206367.506:1768): apparmor="DENIED"
> operation="exec"
> namespace="root//lxd-thorough-bear_<var-lib-lxd>"
> profile="snap.hello-world.sh"
> name="/usr/bin/mkfifo"
> pid=7925
> comm="bash"
> requested_mask="x"
> denied_mask="x"
> fsuid=101000
> ouid=100000
>
> [94156.910123] audit: type=1400 audit(1486206367.506:1769): apparmor="DENIED"
> operation="open"
> namespace="root//lxd-thorough-bear_<var-lib-lxd>"
> profile="snap.hello-world.sh"
> name="/usr/bin/mkfifo"
> pid=7925
> comm="bash"
> requested_mask="r"
> denied_mask="r"
> fsuid=101000
> ouid=100000
>
>
>
>
> On Sat, Feb 4, 2017 at 12:02 PM, Luca Dionisi <luca.dionisi at gmail.com> wrote:
>> Well, it seems that the problem is the userspace tool itself.
>> bash-4.3$ mkfifo --help
>> bash: /usr/bin/mkfifo: Permission denied
>>
>> On Sat, Feb 4, 2017 at 12:00 PM, Luca Dionisi <luca.dionisi at gmail.com> wrote:
>>> On Sat, Feb 4, 2017 at 11:43 AM, Oliver Grawert <ogra at ubuntu.com> wrote:
>>>> hi,
>>>> Am Freitag, den 03.02.2017, 21:04 +0100 schrieb Luca Dionisi:
>>>>> What is the best place to write (and read) a temporary FIFO file from
>>>>> a confined snap application?
>>>>> This is for simple IPC between 2 processes of the same snap.
>>>>> Before attempting to snap the application I was using a fixed
>>>>> filename
>>>>> in /tmp. Admittedly poor solution.
>>>>> The solution should be usable also with another packaging system.
>>>>>
>>>> well ... in case of snaps /tmp is a private directory that only your
>>>> snap can access so it is actually a good place for such stuff ...
>>>
>>> It's worse than that, Jim!
>>>
>>> Inside the snap environment I can write files and directories both in
>>> /tmp and in $XDG_RUNTIME_DIR.
>>> What I cannot do anywhere is create a FIFO.
>>>
>>> bash-4.3$ mkfifo a
>>> bash: /usr/bin/mkfifo: Permission denied
>>>
>>> What's the problem here?
>>>
>>> To be honest I should say that my tests have been conducted in LXD
>>> containers. I don't know if the situation holds true also in real
>>> machines.
More information about the Snapcraft
mailing list