Snappy

Bug #1586547
Comment #3

Comment 3 for bug 1586547

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-05-31: Re: snappy needs security policy for chromium

For seccomp snappy-debug.security scanlog will help you, but you can also 'grep audit /var/log/syslog' to see the syscalls and then run them through scmp_sys_resolver on the target machine. However, the seccomp call in question for chromium is known and is bug #1577520 (in progress).

The ~/.Private is bug #1574556 and is fixed in 16.10 and in progress on 16.04.

/dev/.org.chromium.Chromium.NNNNNN is bug #1577514 and a plan is decided and the snappy team will implement. Alternatively, you can also adjust chromium to use /dev/snap.$SNAP.NNNNNN instead and it would work today.

You should adjust the snap to not use /etc/chromium-browser/policies/managed/ and /etc/chromium-browser/policies/recommended/ since they won't exist in the snap's filesystem anyway.

Read access for /proc/NNNNN/oom_score_adj is fixed in trunk but write access won't be allowed at this time because it allows a snap to influence the oom killer for other snaps (but this is a noisy denial, not fatal and we'll work through silencing these sorts of things in future work).

/proc/NNNNN/setgroups and /proc/NNNNN/uid_map seem to be because of chromium's use of user namespaces. Please disable the sandbox at this time since snappy is handling confinement. Once the phase 1 apparmor stacking changes all land in 16.04 (most have, some remain) we can revisit chromium's use of user namespaces and see what interface changes are needed.

/usr/share/applications/ and /var/lib/snapd/desktop/applications/ appear to be for xdg-mime, however snapd is moving to its own implementation of xdg-open that snaps would use.

/usr/share/applications/*desktop I'm not sure what it is for-- vimperator plugin? Something else? In general, snaps will want to ship these sorts of things themselves and/or use xdg-open, as mentioned.

/var/tmp/ is not allowed and the application should use the snap-specific TMPDIR (/tmp) instead. This is almost always non-fatal and shows up when the application is searching for a writable tmp area.

Since there are many different accesses being reported here all of which require changes to the snap or already have other bugs, I'm going to takeover this bug for the user namespace request.

Thanks!

The ~/.Private is bug #1574556 and is fixed in 16.10 and in progress on 16.04.

You should adjust the snap to not use /etc/chromium-browser/policies/managed/ and /etc/chromium-browser/policies/recommended/ since they won't exist in the snap's filesystem anyway.

/usr/share/applications/ and /var/lib/snapd/desktop/applications/ appear to be for xdg-mime, however snapd is moving to its own implementation of xdg-open that snaps would use.

Since there are many different accesses being reported here all of which require changes to the snap or already have other bugs, I'm going to takeover this bug for the user namespace request.

Thanks!