Access to /dev/shm/sem.snap.@{SNAP_NAME}.* should be allowed for semaphores to work

Bug #1653955 reported by Olivier Tilloy
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fix Released
Jamie Strandboge

Bug Description

(initially reported at

I’m snapping an app that makes use of semaphores¹ and seeing an apparmor denial. The glibc implementation of sem_open calls SHM_GET_NAME(EINVAL,SEM_FAILED,SEM_SHM_PREFIX) where SEM_SHM_PREFIX is "sem.", so it tries to create /dev/shm/sem.{name}, which fails because
snapd only allows /dev/shm/snap.@{SNAP_NAME}.**.
At a quick glance, there’s no mechanism (e.g. env var) to customize the prefix ("sem.").

/dev/shm/sem.* could be namespaced by snap name by allowing /dev/shm/sem.snap.@{SNAP_NAME}.*


Zygmunt Krynicki (zyga)
tags: added: snapd-interface
Changed in snappy:
status: New → Confirmed
Olivier Tilloy (osomon)
description: updated
Changed in snappy:
status: Confirmed → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snappy:
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This will be fixed in snapd 2.21.

Changed in snappy:
status: In Progress → Fix Committed
Michael Vogt (mvo)
Changed in snappy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers