On Tue, 2016-06-28 at 10:44 +0200, Pawel Stolowski wrote: > Hi, > > I've been trying to create a snap package for Scid-vs-PC (and old-style > TCL/TK based app) but have only been able to get it working in devmode. > In the strict mode it crashes in libtk8.6.so and the segfault appears > right after a denied access to read "/lib", in dmesg which makes me > think that tcl/tk doesn't handle such (unexpected) scenario very well. > > When running in the devmode I get: > [ 4039.752903] audit: type=1400 audit(1467102032.459:56): > apparmor="ALLOWED" operation="open" profile="snap.scid-vs-pc.scidvspc" > name="/lib/" pid=18523 comm="tkscid" requested_mask="r" denied_mask="r" > fsuid=1000 ouid=0 > (and the app runs fine). > > I suspect that just making "/lib" readable to my snap would make that > app happy, so a couple of questions: > - can I somehow expose "/lib" in read-only mode to my snap under > "strict" confinement? > - or can I somehow simulate the presence of "/lib" (and let it be empty)?
Can you file a bug and add the 'snapd-interface' tag? For now you can workaround this in strict mode by adding to /var/lib/snapd/apparmor/profiles/snap.scid-vs- pc.scidvspc: /lib/ r, # trailing '/' is important then do: $ sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.scid-vs- pc.scidvspc Then try again. Depending on what the program does, you might have to add '/usr/lib/', '/usr/local/lib/', etc. Please report all the accesses needed in the bug and I can get this fixed up. -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
