Snappy

"PermissionError: [Errno 13] Permission denied" executing a snap

Bug #1597784 reported by Pedro Coca on 2016-06-30

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Expired	Undecided	Unassigned

Bug Description

I got the following error executing http-prompt as a snap in devmode on 16.04 on x86 64 bits desktop:

Traceback (most recent call last):
  File "/snap/http-prompt/x1/usr/bin/http-prompt", line 9, in <module>
    load_entry_point('http-prompt==0.4.1', 'console_scripts', 'http-prompt')()
  File "/home/pcoca/http_prompt_snap/parts/http-prompt/install/usr/lib/python3/dist-packages/click/core.py", line 716, in __call__
    return self.main(*args, **kwargs)
  File "/home/pcoca/http_prompt_snap/parts/http-prompt/install/usr/lib/python3/dist-packages/click/core.py", line 675, in main
    _verify_python3_env()
  File "/home/pcoca/http_prompt_snap/parts/http-prompt/install/usr/lib/python3/dist-packages/click/_unicodefun.py", line 64, in _verify_python3_env
    stderr=subprocess.PIPE).communicate()[0]
  File "/home/pcoca/http_prompt_snap/parts/http-prompt/install/usr/lib/python3.5/subprocess.py", line 947, in __init__
    restore_signals, start_new_session)
  File "/home/pcoca/http_prompt_snap/parts/http-prompt/install/usr/lib/python3.5/subprocess.py", line 1541, in _execute_child
    raise child_exception_type(errno_num, err_msg)
PermissionError: [Errno 13] Permission denied

The syslog shows this info:

sudo vim /var/log/syslog

Jun 30 15:24:43 haswell16 kernel: [218483.711411] audit: type=1400 audit(1467296683.103:1422): apparmor="DENIED" operation="open" profile="snap.http-prompt.http-prompt" name="/proc/10059/mounts" pid=10059 comm="http-prompt" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jun 30 15:24:43 haswell16 kernel: [218483.712330] audit: type=1400 audit(1467296683.103:1423): apparmor="DENIED" operation="exec" profile="snap.http-prompt.http-prompt" name="/sbin/ldconfig" pid=10062 comm="http-prompt" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Jun 30 15:24:43 haswell16 kernel: [218483.716641] audit: type=1400 audit(1467296683.107:1424): apparmor="DENIED" operation="exec" profile="snap.http-prompt.http-prompt" name="/sbin/ldconfig" pid=10064 comm="http-prompt" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Jun 30 15:24:43 haswell16 kernel: [218483.868717] audit: type=1400 audit(1467296683.259:1425): apparmor="DENIED" operation="exec" profile="snap.http-prompt.http-prompt" name="/usr/bin/locale" pid=10066 comm="http-prompt" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

When executing the http-prompt snap created with snapcraft (devmode):

name: http-prompt
version: "1.0"
summary: An interactive command-line HTTP client
description: An interactive command-line HTTP client featuring autocomplete and syntax highlighting
confinement: devmode

apps:
  http-prompt:
    command: http-prompt
    plugs: [home, network, network-bind]

parts:
  http-prompt:
    source: https://github.com/eliangcs/http-prompt.git
    plugin: python3
    stage-packages: [libpython3.5-minimal]

"sudo /snap/http-prompt/x1/usr/bin/http-prompt"

Will run the snap with no issues.

Tags:

Jamie Strandboge (jdstrand) on 2016-06-30

tags:

added: snapd-interface

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-30:

The 'mounts' denial is likely just noise and can be ignored, but you can plug the 'mount-observe' interface to get rid of that denial.

I looked at the 'locale' command and see no reason why it couldn't be allowed in the default policy. I'll add that.

For ldconfig, it might be a harmless denial, but you may want to adjust your program to not use this.

Since the locale denial was last, I suggest you adjust /var/lib/snapd/apparmor/profiles/snap.http-prompt.http-prompt to have before the final '}':

/usr/bin/locale ixr,

Then run: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.http-prompt.http-prompt

You will still see the mounts and ldconfig denials, but perhaps your program will start to work.

Also, to unblock yourself while developing the snap, remember you can install with --devmode which disables the sandbox until such time that your snap is made to work under strict mode.

affects:

snapcraft → snappy

Jamie Strandboge (jdstrand) on 2016-06-30

Changed in snappy:
status:	New → Incomplete

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-07-27:

@Pedro, 'locale' is allowed by default as of snapd 2.11 which is in xenial-proposed and as mentioned you can use 'mount-observe'. Can you comment on my questions in comment #1?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-07-28:

FYI, ldconfig is now going to be allowed in the default profile (for printing the cache, but not updating it of course).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-09-27:

[Expired for Snappy because there has been no activity for 60 days.]

Changed in snappy:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.