On Mon, 2016-07-04 at 08:27 +0200, Didier Roche wrote: > Le 02/07/2016 20:40, Jasem Mutlaq a écrit : > > > > > > 5. dbus calls fail in strict confinement mode. > I'm ccing Jamie here, he may have a look at them if they make sense to > add to any interface.
I suspect we'll need a transition interface similar to 'unity7' for KDE apps since KDE, like all traditional Linux desktops, has a different trust model (where everything running in your session is trusted) than snappy (where apps are considered untrusted). As Didier said, get your snap running in --devmode, then file bugs at https://bugs.launchpad.net/snappy/+filebug adding the 'snapd- interface' tag and we can work through what is needed. That said, I predict KDE apps needing kinit and all the various KDE IPC services and how they (auto)start each other are going to present a real challenge to have any meaningful security policy (based on experience with profiling KDE apps and your apparmor logs) and require thoughtful design. We'll know more once there is a working devmode snap and a bug is filed for it to work in strict mode. > > 7. Other apparmor problems (see log below) > > > > Here is a link to the files: > > > > 1. snapcraft.yaml: http://www.indilib.org/jdownloads/snap/snapcraft.yaml > > 2. qt5-lunch: http://www.indilib.org/jdownloads/snap/qt5-lunch > > 3. AppArmor log: http://www.indilib.org/jdownloads/snap/apparmor.txt > > > > > > As you can see from the AppArmor log, there are a lot of calls been > > made among all the various components, libraries, file system..etc. > > Even when an executable like indi_simulator_ccd is accessing a > > dependent library, it says: > > > > = AppArmor = > > Time: Jul 2 20:30:33 > > Log: apparmor="ALLOWED" operation="open" > > profile="snap.kstars.kstars//null-/snap/kstars/x2/usr/bin/indiserver//null- > > /snap/kstars/x5/usr/bin/indi_simulator_ccd" > > name="/snap/kstars/x5/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2" > > pid=4015 comm="indi_simulator_" requested_mask="r" denied_mask="r" > > fsuid=1000 ouid=0 > > File: /snap/kstars/x5/usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2 (read) > > Suggestion: > > * adjust program to read necessary files from $SNAP, $SNAP_DATA or > > $SNAP_USER_DATA > > > > Again, not sure how to adjust program to read from dependent library. > > > Same, needing Jamie's feedback on those :) This file should be allowed by the policy since it is in your $SNAP directory. I'm a bit puzzled as to why this is showing up in the log. I will note that the profile in question is 'snap.kstars.kstars//null- /snap/kstars/x2/usr/bin/indiserver//null- /snap/kstars/x5/usr/bin/indi_simulator_ccd' which is the complain-mode profile name for the indi_simulator_ccd process that was launched by indiserver which was started by something under the snap.kstars.kstars profile. Notice the 'x2' for the snap's revision for indieserver and the 'x5' for the snap's revision for indi_simulator_ccd. It seems that that snap was updated from 'x2' to 'x5' while indieserver was still running? Regardless, can you file a bug with detailed steps on how to reproduce and we can work this out there. Thanks! -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
