apps should be able to run /usr/bin/shuf by default
Bug #1615124 reported by
Dustin Kirkland
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
Medium
|
Jamie Strandboge |
Bug Description
So I just built a snap today (petname) that needs to use /usr/bin/shuf from the coreutils package, which is shipped in ubuntu-core.
But I'm not able to. AppArmor denies reads and execs from /usr/bin/*.
There's a bunch of things in that category -- sed, awk, md5sum, etc.
Can we open this up, by policy?
Changed in snappy: | |
status: | Triaged → In Progress |
Changed in snappy: | |
importance: | Undecided → Medium |
milestone: | none → 2.15 |
status: | In Progress → Fix Committed |
To post a comment you must log in.
Specifically for the examples you gave-- shuf was just an omission and sed, awk, and md5sum are all in the default template. Many other commands not in the default policy are in other interfaces (eg, 'ip' and 'ifconfig' are in network-control and 'iptables' is in 'firewall- control' ).
Talked with Mark about this bug and the thinking about what from the core snap should be exposed to snaps has evolved since the default policy was created.
I'm going to talk to Gustavo about this and report back. I'm going to retarget this bug for 'shuf' itself and depending on Gustavo's and my conversation, treat that as a larger work item.