Cannot write in home directory

t0skfak3r · May 17, 2021, 8:49am

Hello! I try to copy a file in user home directory but i get EPERM error:

{"errno":-1,"syscall":"copyfile","code":"EPERM","path":"/root/snap/test/x2/env.json","dest":"/root/snap/test/x2/env.json.bak"}

Snap connections:

Interface         Plug                              Slot               Notes
browser-support   test:browser-support   :browser-support   -
hardware-observe  test:hardware-observe  :hardware-observe  manual
home              test:home              :home              -
network           test:network           :network           -
network-bind      test:network-bind      :network-bind      -
opengl            test:opengl            :opengl            -
raw-usb           test:raw-usb           :raw-usb           manual
removable-media   test:removable-media   :removable-media   manual
wayland           test:wayland           :wayland           manual

Snapd version:

snap list
Name             Version        Rev    Tracking       Publisher   Notes
core18           20210309       1997   latest/stable  canonical✓  base
core20           20210319       975    latest/stable  canonical✓  base
lxd              4.0.6          20326  4.0/stable/…   canonical✓  -
mir-kiosk        2.3.2-snap117  6525   latest/stable  canonical✓  -
snapd            2.50           11841  latest/stable  canonical✓  snapd
test             0.1.0          x2     -              -           -

I have already seen this: Snap no longer has write permission - snapcraft - snapcraft.io , but i have snapd 2.50 .

Any thoughts why this would happen?

ogra · May 17, 2021, 8:58am

well, you are trying to write to /root … are you actually logged in as root (not running via sudo … ) or running the snap as daemon ?

t0skfak3r · May 17, 2021, 9:02am

The application is running as a daemon, it’s on the machine which should be live:

~$ snap services
Service                          Startup  Current   Notes
lxd.activate                     enabled  inactive  -
lxd.daemon                       enabled  inactive  socket-activated
mir-kiosk.daemon                 enabled  active    -
test.test                        enabled  active    -

ogra · May 17, 2021, 9:05am

and are you trying to copy at runtime or from some hook during i.e. and upgrade ?

t0skfak3r · May 17, 2021, 9:06am

At runtime, while electron browser window is running.

t0skfak3r · May 17, 2021, 9:06am

Also, i forgot to mention, this is on Ubuntu Server 20.04.

t0skfak3r · May 17, 2021, 9:18am

The wierd thing is that the electron app writes to log file, but when i need to copy env.json file:

fs.copyFileSync(App.storage_user__("env.json"), App.storage_user__("env.json.bak"))

it gives EPERM.

EDIT
It seem the error appears only when i use copyFileSync.

There is no error when using: “renameSync”, “unlinkSync”.

ogra · May 17, 2021, 9:43am

are there any related seccomp errors in your journal ?

t0skfak3r · May 17, 2021, 9:57am

What should i grep exactly?

ogra · May 17, 2021, 9:59am

journalctl -f | grep DENIED perhaps … i assume you can not simply journalctl -f and have your daemon execute the copy stuff while watching the log in realtime ?

t0skfak3r · May 17, 2021, 10:04am

Luckily, i can.

This is the output:

May 17 10:01:30 machine audit[4099]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4099 comm="test" exe="/snap/test/x2/main/test" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f1fd1d1c639 code=0x50000
May 17 10:01:30 machine kernel: audit: type=1326 audit(1621245690.305:2086): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4099 comm="test" exe="/snap/test/x2/main/test" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f1fd1d1c639 code=0x50000

ogra · May 17, 2021, 10:07am

well, that looks definitely similar to what @mborzecki fixed in the other therad (assuming this is the same architecture, syscall numbers are architecture bound) … perhaps marcin has an idea here …

t0skfak3r · May 17, 2021, 10:09am

It runs on ubuntu server 20.04 lts.
Arch is:

uname -m
x86_64

t0skfak3r · May 17, 2021, 1:25pm

So… any news about this?

lucyllewy · May 17, 2021, 2:01pm

t0skfak3r:

May 17 10:01:30 machine audit[4099]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4099 comm="test" exe="/snap/test/x2/main/test" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f1fd1d1c639 code=0x50000
May 17 10:01:30 machine kernel: audit: type=1326 audit(1621245690.305:2086): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=4099 comm="test" exe="/snap/test/x2/main/test" sig=0 arch=c000003e syscall=326 compat=0 ip=0x7f1fd1d1c639 code=0x50000

Both of those are copy_file_range. This call is permitted by the following:

# the file descriptors used here will already be mediated by apparmor,
# the 6th argument is flags, which currently is always 0
copy_file_range - - - - - 0

It might be that the fs.copyFileSync() call is using an unusual flags parameter in its usage of the syscall. The flags filtering was added in February 2021 in this commit.

t0skfak3r · May 17, 2021, 4:05pm

So there is no fix for it?

lucyllewy · May 17, 2021, 4:44pm

I’ve done some digging. It looks like NodeJS is calling everything correctly, so there shouldn’t be an issue here. Maybe someone from security can double check that the copy_file_range seccomp rule is working as expected.

ijohnson · May 17, 2021, 7:36pm

You might try stracing the snap that is failing for copy_file_range specifically with something like:

sudo snap run --strace='-f -ecopy_file_range' test.test

and see what arguments are being provided

Also what is the output of snap version ?

t0skfak3r · May 18, 2021, 7:59am

Snap version:

$ snap version
snap    2.50
snapd   2.50
series  16
ubuntu  20.04
kernel  5.4.0-73-generic

There is no output when the function “copyFileSync” is called, with any of:

sudo snap run --strace='-f -ecopy_file_range' test.test
sudo snap run --strace='-f -e copy_file_range' test.test

mborzecki · May 18, 2021, 9:26am

Is the snap published somewhere already so that I could try it locally?