the snap package (strict confinement),
> > nothing happens. I have tried to include bash and dash pacakges as
> > stage-packages but it doesn work. Is this something that can be achieved
> > using the snap package system?
> >
> > Thank you very much!
> >
> > Best,
> >
> > Eloy
> >
>
>
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snapcraft
-gpio-26 -
> screenly-pi3:bcm-gpio-3 -
> screenly-pi3:bcm-gpio-4 -
> screenly-pi3:bcm-gpio-5 -
> screenly-pi3:bcm-gpio-6 -
> screenly-pi3:bcm-gpio-7 -
> screenly-pi3:bcm-gpio-8 -
> s
t/2017-March/003669.html
I'm of course fine with other reviewers granting auto aliases in the future.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify
This got caught up in an issue with the mailing list server and never made it to
the list. Resending now-- sorry for the delay in response to the list.
Forwarded Message
From: Jamie Strandboge <ja...@canonical.com>
To: Mark Shuttleworth <mark.shuttlewo...@canonica
On Tue, 2017-03-21 at 18:11 +0100, Loïc Minier wrote:
> Hi!
>
> On Mon, Mar 20, 2017 at 8:29 PM, Jamie Strandboge <ja...@canonical.com>
> wrote:
>
> >
> > The aksusbd case seems like it could be covered by existing interface
> > techniques. The
ed in
> hotplugging requirements, not sure about the latter. Perhaps I should add
> these to some existing design doc?
>
That seems wise for both cases (though the device acls is somewhat orthogonal).
I'm not sure where the hotplugging design doc is (iirc, Gustavo may have the
details).
On Tue, 2017-03-07 at 13:41 -0600, Jamie Strandboge wrote:
> On Tue, 2017-03-07 at 15:05 +, Nicolino Curalli wrote:
> >
> > Hi kyleN
> > thanks so much for the answer.
> >
> > A question for go ahead from my side:
> > how can I request the st
Resending since this (and a few other emails) got caught up in a filter that was
recently activated for this list.
On Tue, 2017-03-07 at 08:36 -0600, Jamie Strandboge wrote:
> On Tue, 2017-03-07 at 09:19 -0500, knitzsche wrote:
> >
> > I don't think the prepare-device script can
If not, can you file a new bug here:
https://bugs.launchpad.net/snapd/+filebug
Please include the denials you are seeing.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.sn
though ... it looks rather like you did not add libqt5sql5
> > > to
> > > your stage-packages in snapcraft.yaml ...
> > >
> > > ciao
> > > oli
> > >
> > -- Snapcraft mailing list Snapcraft@lists.snapcraft.io
&g
.com/snapcore/snapd/pull/2947).
I suggest following the wiki[1] and then filing a bug with the accesses you
want, and we can go from there. If you want me to help you get to the bottom of
this, just file the bug now or contact me on irc.
[1]https://github.com/snapcore/snapd/wiki/Security#inter
On Tue, 2017-02-21 at 11:53 -0600, Jamie Strandboge wrote:
> On Tue, 2017-02-21 at 12:39 +0100, Luca Dionisi wrote:
> >
> > Are network namespaces supported in snaps?
> >
> > In my RaspberryPi3 I have a snap which has been installed with --devmode.
> > Inside th
]' and to
connect the interface with 'sudo snap connect myapp:network-control' even when
using devmode. After that you should be able to use 'ip netns' within your snap.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed messag
I've used this command for that
sort of thing:
$ PAGER=cat LANG='en_US.UTF-8' MANWIDTH=80 man --warnings \
-E UTF-8 -l ./path/to/page > ./path/to/dumped/page
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
em services) so that non-root logged in users can't
perform privileged operations via the interfaces. The very simplistic policy is
a result of polkit not being available in core yet. polkit is something the
Personal team is looking at enabling in snappy. Once polkit is available, then
that allows
'. Plugging snaps do:
name: foo-vlc-controller
apps:
foo-vlc-controller:
plugs: [ mpris ]
Then on install they can be connected with:
$ sudo snap connect foo-vlc-controller:mpris forked-vlc:mpris
Notice that foo-vlc-controller doesn't care about what is on the other end
(vlc, vs
eeded.
> Shouldn't we have an interface allowing mknod, chroot and maybe ptrace
> for snaps creating their own chroot jails?.
As said, mknod is in progress. Can you file a bug for chroot?
ptrace we could allow with 4.8+ kernels or if we add 'seccomp after ptrace' to
the
/sem.snap.foo.bar";
open(name, O_CREAT | O_EXCL | O_RDRW, S_IRUSR | S_IWUSR);
sem_open("snap.foo.bar", 0);
As such, sem_open() can work under confinement, but the application needs to be
written to work within it.
Sergio put together snapcraft-preload:
https://github
ions of that command or other commands
from the same snap. Try it: create a snap with two commands, have one create a
file in /tmp and another to read the same file in /tmp-- it will work and the
temporary directory in the system's /tmp will be
/tmp/snap.0_snap.$SNAP_NAME._... will have the fi
On Wed, 2017-02-01 at 08:46 -0600, Jamie Strandboge wrote:
> On Wed, 2017-02-01 at 20:33 +0800, James Henstridge wrote:
> >
> > Hi,
> >
> > On our team we've been working to snap the thumbnailer project. While
> > there are some problems that are
On Fri, 2017-02-03 at 19:59 +0800, James Henstridge wrote:
> On 1 February 2017 at 22:46, Jamie Strandboge <ja...@canonical.com> wrote:
> >
> > On Wed, 2017-02-01 at 20:33 +0800, James Henstridge wrote:
> > >
> > > 2. Use of the libapparmor aa_is_enabled an
ns behind the scenes...
>
You are right, snapd should handle this properly but at the moment it doesn't.
This is this bug:
https://bugs.launchpad.net/snappy/+bug/1647169
Perhaps Jamie Bennett or someone from the Snappy team could comment on its
status?
--
Jamie Strandboge | ht
On Mon, 2017-02-06 at 09:25 -0800, Kyle Fazzari wrote:
>
> On 02/06/2017 09:21 AM, Jamie Strandboge wrote:
> >
> > On Sun, 2017-02-05 at 08:04 +0800, XiaoGuo Liu wrote:
> > >
> > > Hi Oli,
> > >
> > > Does it mean all of the snaps have t
t is snap-specific and cleared on reboot) or create a persistent
snap-specific
shared directory in $SNAP_DATA (eg, mkdir -m 1777 $SNAP_DATA/tmp) and put them
there.
Hope this helps!
[1]In general, it is best practice to avoid processing files that are under
another user's control since those fi
nd* had its own /tmp directory. That was changed late last year so that
all commands with the same snap share the same /tmp directory such that each
snap has its own /tmp directory.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally sign
py/+bug/1659724
The fix for this should be in snapd 2.23[1].
I would actually recommend using UNIX domain sockets for this though. The
easiest is to put a named socket in SNAP_DATA.
[1]https://github.com/snapcore/snapd/pull/2768
--
Jamie Strandboge | http://www.canonical.com
nel through the device (eg, raw access to your disk).
The above referenced PR limits how mknod can be used to create regular files,
pipes and sockets but not block and character devices. As such, we are adding
the mknod and mkfifo commands as part of that PR and this should be available
for
On Thu, 2017-02-02 at 17:22 -0500, espy wrote:
>
> On 02/01/2017 09:46 AM, Jamie Strandboge wrote:
> >
> > On Wed, 2017-02-01 at 20:33 +0800, James Henstridge wrote:
> > >
> > > Hi,
> [...]
>
> >
> > >
> > > 3. QNetwo
On Thu, 2017-02-02 at 19:00 +0200, Simos Xenitellis wrote:
> In addition, I added the interface "network". This is due to to lnav
> opening a UNIX domain socket,
> and using the "sendto()" system call.
Is this a socket for IPC between commands in your snap or f
to hijack the thread, feel free to comment in the bug).
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snapcraft
On Tue, 2017-01-31 at 17:04 +0100, Didier Roche wrote:
> Le 30/01/2017 à 15:39, Jamie Strandboge a écrit :
> > On Mon, 2017-01-30 at 08:47 -0500, Stephen M. Webb wrote:
> > > On 2017-01-30 01:56 AM, Spencer Parkin wrote:
> > While harmless, it is also confusing
On Mon, 2017-01-23 at 21:30 +0100, Luca Dionisi wrote:
> On Mon, Jan 23, 2017 at 6:28 PM, Jamie Strandboge <ja...@canonical.com> wrote:
> >
> > I will be looking at the security policy side of this so if you can, please
> > comment in the bug what specific commands
seem to allow write
> access to this file. Shouldn't an interface like "network-control" allow
> write access to /etc/resolv.conf ?
>
FYI, this is merged in master and the upcoming snapd 2.22 will allow access to
resolvconf.
--
Jamie Strandboge | http://www.cano
bug what specific commands you are using in your snap for using
rt_tables so I can repeat tham and make sure they are supported.
[1]https://bugs.launchpad.net/snappy/+bug/1658298
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed mess
work-manager). Please
feel free to file bugs if it isn't doing what you expect.
Updating snappy-debug for dbus, improving its cli and generally sprucing up the
snap is planned but behind other prioritized work right now.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
D
d I withdraw or drop the pending snap and it's successors in the
> Store?
>
What is the name of your snap? I'll reject it and then you can upload a new one.
Feel free to respond off-list if you prefer.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: T
like bug #1592022 which should be fixed in snapd and snap-confine
2.20. What versions of there packages do you have installed?
[1]https://bugs.launchpad.net/snap-confine/+bug/1592022
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a d
e possible in the near future. Please advise implications
> and other alternative implementations. Thanks.
>
>
> -- Luther
> [1] http://snapcraft.io/docs/core/interfaces
>
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digit
On Wed, 2017-01-04 at 13:39 +0100, Olivier Tilloy wrote:
>
> Here is the bug report: https://launchpad.net/bugs/1653955
Thanks! The fix is in master and will bi in snapd 2.21.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally
ernel with:
$ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.classic.classic
Now you should be able to 'sudo classic' and not see any apparmor logging. Note
that you may have to re-add the above rules to the profile (eg, if the snap is
removed/installed/updated/etc).
IIRC the snappy team
On Fri, 2017-01-06 at 16:10 +, Daniel Llewellyn wrote:
> On Thu, 15 Dec 2016 at 18:33 Jamie Strandboge <ja...@canonical.com> wrote:
>
> >
> > FYI, the upcoming snapd 2.20 will support the 'dbus' interface. With this
> > you
> > can update your snap to in
snap/seccomp/profiles/snap.pulseaudio... then restart the daemon and
see if that works for you? Can you file a bug if you haven't already?
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snapcraft
uot;)"
>
> snappy-debug doesn't mention anything about it. How can we fix that?
snappy-debug doesn't support dbus denials yet. This is planned. You need to
'grep DEN /var/log/syslog' for dbus denials when debugging for now.
> Here is the snapcraft.yaml:
> https://gi
ted this properly but feel free to use/steal/improve it to unblock
yourself.
I'm not sure what the plans are here: whether it is a gadget thing, a snap
config thing for the core snap or something else. If people think managing swap
by 'type: app' snaps is useful as an interface (eg, 'swap-cont
hpad.net/snappy/+bug/1607763. Technically, this is
probably a 'sudo' interface for declaring the policy and a 'sudo' interface
backend that creates sudoers policy in /etc/sudoers.d/snap.SNAP_NAME based on
sudo interface declaration in the the snap yaml. This would of course be a very
se
into? Is there a recommended solution?
>
> Thanks in advance!
>
Reading sem_overview, it seems that we should also allow:
'/dev/shm/sem.snap.@{SNAP_NAME}.*'. In this manner, we namespace /dev/shm/sem.*
by snap name just like we do other parts of the OS. Please file a bug and we'll
get th
ng manager, in this case, gnome-keyring. In that
light, a 'gnome-keyring' interface needs to be implemented as an
implicitClassicSlot.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapc
new interface will need to be created for
it or you can soon try out the about-to-land 'dbus' interface[1].
[1]https://bugs.launchpad.net/snappy/+bug/1590679
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraf
A for this? (No, I’m not going to hold you to it :-
> ) Just trying to get a feel for where things are at.)
>
I'm told these are behind the trusty work, that the trusty work is nearing
completion and that this dbus work will start after that. I suggest asking the
Ubuntu Personal folks directly for
bug/1590679
[3]https://bugs.launchpad.net/snappy/+bug/1648990
[4]https://bugs.launchpad.net/snappy/+bug/1613420
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
On Fri, 2016-11-18 at 15:33 +0100, Olivier Tilloy wrote:
> On Fri, Nov 18, 2016 at 2:37 PM, Jamie Strandboge <ja...@canonical.com> wrote:
> >
> > On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
> > >
> > > Hi everyone,
> > >
> > >
On Fri, 2016-11-18 at 07:37 -0600, Jamie Strandboge wrote:
> On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
> >
> > Hi everyone,
> >
> > I’ve been working on snapping up 0ad¹ as a side project, and I’m at
> > the point where I’ve got it to run
: cannot perform the following tasks:
> > - Connect bluez:client to bluez:service (connection denied by slot rule of
> > interface "bluez")
> >
> > [1] http://snapcraft.io/docs/reference/interfaces
> >
> > BR,
> > Robert
> >
> > --
> >
ls)
That is in strict mode. You can also install in devmode but you need to connect
the interfaces for the log messages to go away. This is because devmode reports
(but allows) violations against policy. If you don't connect the interfaces then
the accesses aren't part of the allowed
interface IMHO.
>
I tend to agree. I suggest filing a bug and submitting a PR against network-
control and we can review/discuss there. Thanks! :)
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Sna
recent hooks work in
snapd can help with running restarting your units after interface connect.
Perhaps others can comment on the status of that work and how to leverage it?
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed m
On Tue, 2016-08-16 at 10:59 -0500, Jamie Strandboge wrote:
> On Tue, 2016-08-16 at 09:53 -0400, Chris Wayne wrote:
> >
> > Is this something that could be added to the roadmap? We'd really prefer
> > to not have to call the snap itself with sudo as it creates some
> &g
t;snap.test2.test2" name="/home/vasilisc/snap/test2/common/"
> > pid=5802 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1000
> > ouid=1000
> >
> Mind opening a bug against snappy on launchpad with your snapcraft.yaml
On Mon, 2016-08-01 at 12:47 -0400, Aaron Honeycutt wrote:
> So I just want on an update from snapd? And then use that in my yaml?
>
Yes, but I think some things are going to change in the PR so I advise not
changing yet or keeping an eye on the PR.
> On Aug 1, 2016 12:43 PM, "Ja
t allows me to
get this PR moving again. Stay tuned-- this bug should be fixed in a new snapd
release soon (2.12 or later).
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Snapcraft mailing list
Snapcraft@lists.s
ess to files and directories in /dev/shm. We allow file
# access in /dev/shm for shm_open() and files in subdirectories for open()
/{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix,
I suspect you need to adjust hatari to use (perhaps conditionally if SNAP env
var is set, up to you) shm_open("s
61 matches
Mail list logo