chroot into a snap

Jamie Strandboge jamie at canonical.com
Mon Feb 13 16:04:13 UTC 2017


On Mon, 2017-02-13 at 09:40 -0600, Jamie Strandboge wrote:
> On Fri, 2017-02-10 at 14:44 +0100, Roberto Mier Escandón  wrote:
>> > = Seccomp =
> > Time: Feb 10 12:31:42
> > Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11048 comm="loolkit"
> > exe="/snap/loolwsd/x17/usr/bin/loolforkit" sig=31 arch=c000003e
> > 161(chroot) compat=0 ip=0x7fd0178dfb47 code=0x0
> > Syscall: chroot
> > 
> This may be tricky as the paths 
> 
Whoops, this got cut off. Basically, just file a bug as I asked later. :)

> > 
> > I've solved that by plugging docker-support and all works fine. But that
> > interface gives a lot of permissions, and the name maybe is not the most
> > accurate for a case like this.
> The docker-support interface should not be used for this. It is a so called
> 'super-privileged' interface and like you said, grants way more than is
> needed.
> 
> > 
> > Shouldn't we have an interface allowing mknod, chroot and maybe ptrace
> > for snaps creating their own chroot jails?.
> As said, mknod is in progress. Can you file a bug for chroot?
> 
> ptrace we could allow with 4.8+ kernels or if we add 'seccomp after ptrace' to
> the list of kernel patches for snappy.
> 
> -- 
> Snapcraft mailing list
> Snapcraft at lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/s
> napcraft
-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170213/9501d7b2/attachment.sig>


More information about the Snapcraft mailing list