chroot into a snap

Roberto Mier Escandón  roberto.escandon at canonical.com
Fri Feb 10 13:44:18 UTC 2017


That's interesting, Simon. Good idea having available both $SNAP_DATA
and /media. We'll do.

But now, let's back to original topic: chroot into snap.
After solving the issue Thomas found related with the path of the
document, I see now there are two operations not allowed in strict
confinement: mknod and chroot. Here is what the snappy-debug.security
log shows:

= Seccomp =
Time: Feb 10 12:31:31
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31983 comm="loolkit"
exe="/snap/loolwsd/x16/usr/bin/loolforkit" sig=31 arch=c000003e
133(mknod) compat=0 ip=0x7f6a6d6450fd code=0x0
Syscall: mknod

= Seccomp =
Time: Feb 10 12:31:42
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11048 comm="loolkit"
exe="/snap/loolwsd/x17/usr/bin/loolforkit" sig=31 arch=c000003e
161(chroot) compat=0 ip=0x7fd0178dfb47 code=0x0
Syscall: chroot

I've solved that by plugging docker-support and all works fine. But that
interface gives a lot of permissions, and the name maybe is not the most
accurate for a case like this.
Shouldn't we have an interface allowing mknod, chroot and maybe ptrace
for snaps creating their own chroot jails?.

BR.


On 10/02/17 11:34, Simon Fels wrote:
> I think you have to support both as otherwise you may miss certain setups
> of nextcloud. One may be configured to use $SNAP_DATA/$SNAP_COMMON to store
> its data, another one may use /media/.. to do that. In the end there needs
> to be some kind of communication happen between both snaps.
> 
> Either the nextcloud snap shares the data directory via the content
> interface, regardless where it is. However for that case I am not sure if
> the security rules of the content interface would allow such a case
> (effectively sharing /media to another snap via the content interface).
> 
> The other way would be that the nextcloud snap somehow exposes a pointer
> for the office snap where to look for its data and then it can either use
> the path connected via the content or via the removable-media plug.
> 
> regards,
> Simon
> 
> On Fri, Feb 10, 2017 at 9:48 AM, Roberto Mier Escandón  <
> roberto.escandon at canonical.com> wrote:
> 
>> Ah, thanks. I'd better use content then.
>>
>> On 10/02/17 09:38, Simon Fels wrote:
>>> On 10.02.2017 09:16, Roberto Mier Escandón  wrote:
>>>> I tried content sharing and works fine in this case, Nextcloud exposing
>>>> a slot to its documents folder. I think I saw somewhere this is only
>>>> valid for a 1-1 plug-slot, so that only 1 snap can use that slot at the
>>>> same time. Is that correct? Can removable-media improve this?
>>>
>>> There can be multiple plugs using the slot.
>>>
>>> The removable-media interfaces allows access to the host /media
>>> directory. That is everything. So unless nextcloud places its data files
>>> there this doesn't help you.
>>>
>>> regards,
>>> Simon
>>>
>>>
>>
>> --
>> Snapcraft mailing list
>> Snapcraft at lists.snapcraft.io
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/
>> mailman/listinfo/snapcraft
>>
> 
> 
> 




More information about the Snapcraft mailing list