On Wed, 2017-03-01 at 23:06 -0300, Facundo Batista wrote:
> Hola!
>
> When calling pip from inside a snap, it (while investigating the system it's
> in) tries to os.listdir("/etc") which is
> denied to it:
>
> Mar 1 15:44:04 tanquita kernel: [16153.906524] audit: type=1400
> audit(1488393844.939:99): apparmor="DENIED"
> operation="open" namespace="root//lxd-fadestest_<var-lib-lxd>"
> profile="snap.fades.fades" name="/etc/"
> pid=10606 comm="python" requested_mask="r" denied_mask="r"
> fsuid=165536 ouid=165536
>
> Which interface should I add to the snap for it to have read only access to
> /etc?
There isn't a rule in the policy for os.listdir("/etc") atm. Allowing that
wouldn't be the worst thing in the world (it would constitute a small
information leak), but I suspect you are going to need more access than just
"/etc" that may or may not be useful. Importantly, if this is because of what
Marco said and this has to do with OS detection, then the snap may end up being
mislead (is being discussed in https://github.com/snapcore/snapd/pull/2947).
I suggest following the wiki[1] and then filing a bug with the accesses you
want, and we can go from there. If you want me to help you get to the bottom of
this, just file the bug now or contact me on irc.
[1]https://github.com/snapcore/snapd/wiki/Security#interface-development-and-sec
urity-policy
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
