Reading /etc
Jamie Strandboge
jamie at canonical.com
Thu Mar 2 13:56:10 UTC 2017
On Wed, 2017-03-01 at 23:06 -0300, Facundo Batista wrote:
> Hola!
>
> When calling pip from inside a snap, it (while investigating the system it's
> in) tries to os.listdir("/etc") which is
> denied to it:
>
> Mar 1 15:44:04 tanquita kernel: [16153.906524] audit: type=1400
> audit(1488393844.939:99): apparmor="DENIED"
> operation="open" namespace="root//lxd-fadestest_<var-lib-lxd>"
> profile="snap.fades.fades" name="/etc/"
> pid=10606 comm="python" requested_mask="r" denied_mask="r"
> fsuid=165536 ouid=165536
>
> Which interface should I add to the snap for it to have read only access to
> /etc?
There isn't a rule in the policy for os.listdir("/etc") atm. Allowing that
wouldn't be the worst thing in the world (it would constitute a small
information leak), but I suspect you are going to need more access than just
"/etc" that may or may not be useful. Importantly, if this is because of what
Marco said and this has to do with OS detection, then the snap may end up being
mislead (is being discussed in https://github.com/snapcore/snapd/pull/2947).
I suggest following the wiki[1] and then filing a bug with the accesses you
want, and we can go from there. If you want me to help you get to the bottom of
this, just file the bug now or contact me on irc.
[1]https://github.com/snapcore/snapd/wiki/Security#interface-development-and-sec
urity-policy
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170302/6e947085/attachment.sig>
More information about the Snapcraft
mailing list