Fyi, I was reminded of this issue again with the ghostty classic snap
and the yq snap (wasting a fair amount of time).
$ snap list | grep -E '(ghostty|yq)'
ghostty v1.3.0 704 latest/stable
ken-vandine* classic,held
yq v4.49.2 2759 latest/stable
mikefarah -
$ which ghostty
/snap/bin/ghostty
$ which yq
/snap/bin/yq
$ cat ./test.yml
foo: 1
bar:
- baz
# from within ghostty
$ echo $TERM_PROGRAM
ghostty
# direct file works
$ yq ./test.yml
foo: 1
bar:
- baz
# pipe works
$ cat ./test.yml | yq
foo: 1
bar:
- baz
# redirection does not (shows help since it didn't get the content)
$ yq < ./test.yml
Usage:
yq [flags]
yq [command]
...
AppArmor denials:
kernel: audit: type=1400 audit(1773236035.243:8383): apparmor="DENIED"
operation="file_inherit" class="file" profile="/usr/lib/snapd/snap-confine"
name="/home/jamie/test.yml" pid=1220747 comm="snap-confine" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
kernel: audit: type=1400 audit(1773236035.260:8385): apparmor="DENIED"
operation="open" class="file" profile="snap.yq.yq"
name="/proc/1220747/mountinfo" pid=1220747 comm="yq" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
My 'snap_workaround' trick from before continues to work:
$ snap_workaround
Moving workaround rules to
'/var/lib/snapd/apparmor/snap-confine.internal/lp1849753' and
'/var/lib/snapd/apparmor/snap-confine/lp1849753' for classic snaps and snap to
snap interactions
Reloading snap-confine policy
$ yq < ./test.yml
foo: 1
bar:
- baz
Note, these days I need to adjust the workaround slightly to handle both
/var/lib/snapd/apparmor/snap-confine and /var/lib/snapd/apparmor/snap-
confine.internal by adjusting my 'snap_workaround' function in
~/.bashrc:
snap_workaround() {
fn="/var/lib/snapd/apparmor/snap-confine.internal/lp1849753"
fn2="/var/lib/snapd/apparmor/snap-confine/lp1849753"
fn_dir=$(dirname "$fn")
fn2_dir=$(dirname "$fn2")
test -d "$fn_dir" || test -d "$fn2_dir" || return
test -e "$fn" || {
tmpfn=$(mktemp)
cat > "$tmpfn" <<EOM
# vim-go
unix,
owner /** rw,
ptrace readby peer=unconfined,
ptrace tracedby peer=unconfined,
# old bug
capability fsetid,
EOM
echo "Moving workaround rules to '$fn' and '$fn2' for classic snaps and
snap to snap interactions"
test -d "$fn_dir" && sudo /bin/cp "$tmpfn" "$fn"
test -d "$fn2_dir" && sudo /bin/cp "$tmpfn" "$fn2"
rm -f "$tmpfn"
sudo chown root:root "$fn" "$fn2"
sudo chmod 644 "$fn" "$fn2"
echo "Reloading snap-confine policy"
sudo /snap/snapd/current/usr/lib/snapd/apparmor_parser -r
/etc/apparmor.d/*snap-confine* /var/lib/snapd/apparmor/profiles/snap-confine.*
}
}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1849753
Title:
AppArmor profile prohibits classic snap from inheriting file
descriptors
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1849753/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
