Accessing /tmp/.X11-unix/*

mismacku · June 1, 2018, 9:34pm

I’m hoping for some suggestions on the best way to allow a snap access to sockets in /tmp/.X11-unix/
I’m moving an existing node app that uses node-x11 into a snap. From what I can tell, node-x11 looks for /tmp/.X11-unix on the file system vs. using the abstract namespace @/tmp/.X11-unix/ I’ve done some googling and it looks there are a few ways to go about this, but most seem like workarounds. I want to make sure I’m not missing an existing feature within snappy that would make this easy / clean.
Any suggestions?

Thank you!

jamesh · June 2, 2018, 3:32am

Snaps run with a private /tmp, so you won’t be able to see the non-abstract X11 sockets. This is done to isolate the temporary files of one snap from another, so is unlikely to change.

With a quick google search, I was able to find a Node package that lets you connect to abstract namespace local sockets here:

So one option would be to modify node-x11 to use that package to access the abstract namespace socket.

ogra · June 2, 2018, 8:34am

the x11 interface will help here …

github.com

snapcore/snapd/blob/master/interfaces/builtin/x11.go#L94


/sys/devices/pci**/boot_vga r,
/sys/devices/pci**/resources r,
# TODO: enable rules for writing Xwayland Xauth files for clients to read when
# something like gnome-shell is running confined with an x11 slot
`
const x11PermanentSlotSecComp = `
# Description: Allow operating as an X11 server. This gives privileged access
# to the system.
# Needed for server launch
bind
listen
# Needed by server upon client connect
accept
accept4
# for udev
socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
`
const x11ConnectedSlotAppArmor = `

mismacku · June 3, 2018, 2:54pm

Thanks for the info!
@ogra Unfortunately (for this project) the x11 interface uses only the abstract X11 sockets vs. the sockets created within the file system. @/tmp/.X11-unix/X[0-9]* vs. /tmp/.X11-unix/X[0-9]*

@jamesh It sounds like modifying the node app or settle for using TCP may be the only option. One more question though… and I realize this is a big hack, but is there a relatively easy way to bind mind mount a file or directory in a snap or is the only option to fork snapd and write my own interface?
Doc ref: http://www.zygoon.pl/2016/08/creating-your-first-snappy-interface.html
linked here: https://docs.snapcraft.io/core/interfaces

jamesh · June 4, 2018, 12:37am

You can use the layouts feature to make some changes to the mount namespace your application runs in. I’m not sure whether it would let you bind /tmp/.X11-unix back in though.

Connecting to X by TCP/IP is probably possible via the network interface, but on many systems these days the X server is configured to only listen on UNIX domain sockets (with people relying on ssh for remote connection).

You might be able to do more with a new interface, but it isn’t clear it would be accepted into upstream: there are good reasons for only exposing the abstract namespace sockets. And it would probably be easier to patch node-x11: you’d need to ship a copy of it with your snap anyway, so it wouldn’t be that difficult to ship your own branch of the module. It also seems like a change they might be willing to accept upstream, so you wouldn’t necessarily be stuck with the maintenance burden forever.