apps should be able to run /usr/bin/shuf by default

Bug #1615124 reported by Dustin Kirkland 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Fix Released
Medium
Jamie Strandboge

Bug Description

So I just built a snap today (petname) that needs to use /usr/bin/shuf from the coreutils package, which is shipped in ubuntu-core.

But I'm not able to. AppArmor denies reads and execs from /usr/bin/*.

There's a bunch of things in that category -- sed, awk, md5sum, etc.

Can we open this up, by policy?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Specifically for the examples you gave-- shuf was just an omission and sed, awk, and md5sum are all in the default template. Many other commands not in the default policy are in other interfaces (eg, 'ip' and 'ifconfig' are in network-control and 'iptables' is in 'firewall-control').

Talked with Mark about this bug and the thinking about what from the core snap should be exposed to snaps has evolved since the default policy was created.

I'm going to talk to Gustavo about this and report back. I'm going to retarget this bug for 'shuf' itself and depending on Gustavo's and my conversation, treat that as a larger work item.

Changed in snappy:
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
summary: - my snap apps should be able to run /usr/bin/*
+ apps should be able to run /usr/bin/shuf by default
tags: added: snapd-interface
Changed in snappy:
status: Triaged → In Progress
Changed in snappy:
importance: Undecided → Medium
milestone: none → 2.15
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

2.20 fixes this issue.

Changed in snappy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.