snapd

/var/tmp handling

Bug #1504187 reported by Jamie Strandboge on 2015-10-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	Wishlist	Unassigned

Bug Description

I've seen the following denial in some java programs:

audit: type=1400 audit(1444152930.580:37): apparmor="DENIED" operation="open" profile="foo_bar_0.1" name="/var/tmp/" pid=1246 comm="java" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The programs so far seem to function fine with the denial, but it seems like some app, somewhere, won't handle this well. Currently, we are recommending that apps use TMPDIR or SNAP_APP_DATA_PATH instead of /var/tmp. However, I wonder if it would be better to have the launcher handle /var/tmp in the same manner as /tmp by bind mounting the app-specific temporary directory as /var/tmp in the app's mount namespace. It is probably sufficient to simply bind mount the current app-specific temporary directory on both /tmp and /var/tmp in the app's mount namespace.

This changes the semantics of /var/tmp somewhat, since /tmp and /var/tmp for the app are handled identically, but I think this is probably fine and certainly better than the current situation of not allowing /var/tmp at all.

See original description

Tags:

Jamie Strandboge (jdstrand) on 2015-10-08

description:	updated
description:	updated
description:	updated

Michael Vogt (mvo) on 2016-04-27

Changed in snappy:
status:	New → Triaged
importance:	Undecided → Wishlist

Evan (ev) on 2017-01-31

tags:

added: isv

Zygmunt Krynicki (zyga) on 2019-03-25

affects:

snappy → snapd

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.