Allow mknod to make a named pipe?

snap
1

I have an interesting application which I am trying to snap strictly confined. The current sticking point is that it breaks when trying to mknod, but not in /dev, in the home directory of the snap. This seems to be part of normal operation, and when run outside of confinement it creates a file in a dot folder under home, thus:-

prw------- 1 alan alan      0 Aug 10 18:29 foo.pipe

However, when strictly confined, the application crashes, strace reveals:-

[pid  8397] mknod("/home/alan/snap/foo/x1/.foo/foo.pipe", S_IFIFO|0600) = ?
[pid  8397] +++ killed by SIGSYS +++

Which causes the application to crash.

Is this something we can / should allow?

2

as a workaround you could use the “classic-support” interface (looks like that has mknod allowed)

3

classic-support is a new one on me!

Not listed at https://snapcraft.io/docs/reference/interfaces either.

4

well …

ogra@styx:~/Devel/branches/snapd$ grep -r mknod interfaces/builtin/*
interfaces/builtin/classic_support.go:capability mknod,
interfaces/builtin/classic_support.go:mknod
interfaces/builtin/docker_support.go:mknod
interfaces/builtin/docker_support.go:mknodat

and snap interfaces lists it on my laptop … i think it might not be one we want to massively expose or so …

5

Well it didn’t work anyway. I get the same failure with classic-support as I did without, thanks for the suggestion though :slight_smile:

6

No need for classic-support (not to mention, its use would likely be rejected since this isn’t what the interface is meant to be used for). The upcoming snapd 2.27 has rules in the default seccomp policy that allow the use of mknod for regular files, pipes and sockets:

mknod - |S_IFREG -
mknodat - - |S_IFREG -
mknod - |S_IFIFO -
mknodat - - |S_IFIFO -
mknod - |S_IFSOCK -
mknodat - - |S_IFSOCK -
1 Like
7

It isn’t listed there because it is intended to be used by precisely one snap: classic.