On Tue, Jan 3, 2017 at 8:21 PM, Jamie Strandboge <[email protected]> wrote: > On Mon, 2017-01-02 at 16:34 +0100, Olivier Tilloy wrote: >> Hi everyone, and happy new year! >> >> I’m snapping an app that makes use of semaphores¹ and seeing an >> apparmor denial. The glibc implementation of sem_open calls >> SHM_GET_NAME(EINVAL,SEM_FAILED,SEM_SHM_PREFIX) where SEM_SHM_PREFIX is >> "sem.", so it tries to create /dev/shm/sem.{name}, which fails because >> snapd only allows /dev/shm/snap.@{SNAP_NAME}.**. >> At a quick glance, there’s no mechanism (e.g. env var) to customize >> the prefix ("sem."). >> Is this an issue others have run into? Is there a recommended solution? >> >> Thanks in advance! >> > > Reading sem_overview, it seems that we should also allow: > '/dev/shm/sem.snap.@{SNAP_NAME}.*'. In this manner, we namespace > /dev/shm/sem.* > by snap name just like we do other parts of the OS. Please file a bug and > we'll > get this fixed.
This will require patching upstream apps, and is not likely to be easily merged by upstream projects, so not ideal, but I understand the need for namespacing /dev/shm/sem.* for true security. Here is the bug report: https://launchpad.net/bugs/1653955 Cheers, Olivier -- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
