I am planning to use Posix message queues with snap for inter-snap communication.
But I observed that mq_open and other posix message queue syscalls are not allowed in seccomp filter.
Below lines in /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.src indicates the same.
# LP: #1448184 - these aren’t currently mediated by AppArmor. Deny for now
I have referred to “https://snapcraft.io/docs/debug-snaps” and updated below files and re-generated bin file.
- Uncommented mq_open and other required syscalls in “/var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.src” to avoid seccomp violation.
- Added queue name with write/read permission in /var/lib/snapd/apparmor/profiles/snap.. to avoid apparmor violation.
With this modification, I am able to use posix message queue with snap. But these changes are not persistent and need to be done on each re-install.
Please clarify below queries.
a) What is the best way to make these changes persistent? Whether to create custom interface code and add it? or any other option? Please suggest.
b) POSIX message queues are not allowed by default where as Sys V message queue is allowed in seccomp filter policy. Any specific reason for this?
Thanks and Regards,