snapd and semaphores

Olivier Tilloy olivier.tilloy at canonical.com
Wed Jan 4 12:39:49 UTC 2017


On Tue, Jan 3, 2017 at 8:21 PM, Jamie Strandboge <jamie at canonical.com> wrote:
> On Mon, 2017-01-02 at 16:34 +0100, Olivier Tilloy wrote:
>> Hi everyone, and happy new year!
>>
>> I’m snapping an app that makes use of semaphores¹ and seeing an
>> apparmor denial. The glibc implementation of sem_open calls
>> SHM_GET_NAME(EINVAL,SEM_FAILED,SEM_SHM_PREFIX) where SEM_SHM_PREFIX is
>> "sem.", so it tries to create /dev/shm/sem.{name}, which fails because
>> snapd only allows /dev/shm/snap.@{SNAP_NAME}.**.
>> At a quick glance, there’s no mechanism (e.g. env var) to customize
>> the prefix ("sem.").
>> Is this an issue others have run into? Is there a recommended solution?
>>
>> Thanks in advance!
>>
>
> Reading sem_overview, it seems that we should also allow:
> '/dev/shm/sem.snap.@{SNAP_NAME}.*'. In this manner, we namespace /dev/shm/sem.*
> by snap name just like we do other parts of the OS. Please file a bug and we'll
> get this fixed.

This will require patching upstream apps, and is not likely to be
easily merged by upstream projects, so not ideal, but I understand the
need for namespacing /dev/shm/sem.* for true security.

Here is the bug report: https://launchpad.net/bugs/1653955

Cheers,

 Olivier




More information about the Snapcraft mailing list