On Mon, 2016-08-01 at 07:27 +0200, Simon Fels wrote: > On 01.08.2016 06:55, Jacob Zimmermann wrote: > > > > Hi > > > > I'm trying to get my hands on snapcraft by building a snap of "Hatari" > > (Atari ST emulator). I got it working nicely in devmode but it won't run > > under strict confinement, specifically it gets killed when attempting to > > execute shm_open(). > > > > Based on whatever little information I could gather I tried to override > > the default policy like so: > > > > apps: > > hatari: > > command: hatari > > plugs: [home, unity7, hatari-permissions] > > > > ... > > > > plugs: > > hatari-permissions: > > type: old-security > > security-override: > > syscalls: [shm_open] > The old-security interface is not available any more. To be able to > further comment on the problem you hit here it will be good to know for > what the Hatari emulator wants to use the shm_open syscall. > > > > > But no avail, it just won't let it use this syscall. I couldn't find > > anything in the docs about how is it supposed to be done. > To allow your snap to use the syscall shm_open it needs to use an > interface which allows this. Its very likely that in this case there is > no appropriate interface yet. As stated above we need to first find out > what the emulator tries to do with shm_open here before we can judge > further what kind of interface it would need. >
shm_open() is allowed in the default policy for seccomp and if the path conforms
to this from the default policy for apparmor, then there should be no issues:
# App-specific access to files and directories in /dev/shm. We allow file
# access in /dev/shm for shm_open() and files in subdirectories for open()
/{dev,run}/shm/snap.@{SNAP_NAME}.** mrwlkix,
I suspect you need to adjust hatari to use (perhaps conditionally if SNAP env
var is set, up to you) shm_open("snap.hatari.XXXXXX", ...) or similar.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
