Comment 0 for bug 1731012

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Electron applications use this is ensure only one instance of the application is running:

Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:

$ ls -l /run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS

In snappy, we have the following rule:

  owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,

Under certain circumstances[1] a read denial pops out due to owner mismatch:

apparmor=“DENIED” operation=“file_perm” profile=“snap.mailspring.mailspring” name="/run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc/SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0

but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid or have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.