chroot into a snap
Roberto Mier Escandón
roberto.escandon at canonical.com
Mon Feb 13 16:27:39 UTC 2017
Thanks Jamie,
I've reopen one [1] that I marked as invalid when I plugged docker-support.
[1] https://bugs.launchpad.net/snappy/+bug/1663175
On 13/02/17 17:04, Jamie Strandboge wrote:
> On Mon, 2017-02-13 at 09:40 -0600, Jamie Strandboge wrote:
>> On Fri, 2017-02-10 at 14:44 +0100, Roberto Mier Escandón wrote:
>>>
>>> = Seccomp =
>>> Time: Feb 10 12:31:42
>>> Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11048 comm="loolkit"
>>> exe="/snap/loolwsd/x17/usr/bin/loolforkit" sig=31 arch=c000003e
>>> 161(chroot) compat=0 ip=0x7fd0178dfb47 code=0x0
>>> Syscall: chroot
>>>
>> This may be tricky as the paths
>>
> Whoops, this got cut off. Basically, just file a bug as I asked later. :)
>
>>>
>>> I've solved that by plugging docker-support and all works fine. But that
>>> interface gives a lot of permissions, and the name maybe is not the most
>>> accurate for a case like this.
>> The docker-support interface should not be used for this. It is a so called
>> 'super-privileged' interface and like you said, grants way more than is
>> needed.
>>
>>>
>>> Shouldn't we have an interface allowing mknod, chroot and maybe ptrace
>>> for snaps creating their own chroot jails?.
>> As said, mknod is in progress. Can you file a bug for chroot?
>>
>> ptrace we could allow with 4.8+ kernels or if we add 'seccomp after ptrace' to
>> the list of kernel patches for snappy.
>>
>> --
>> Snapcraft mailing list
>> Snapcraft at lists.snapcraft.io
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/s
>> napcraft
>>
>>
More information about the Snapcraft
mailing list