Can't save files to user's home

snap
1

I’ve just published my first snap - Norka - text editor with its own database inside and the ability to export files to local storage. It is based on Python3 and Gtk so it requires dbus interface which was added to snapcraft.yml. After that change the app now starts properly and able to create a database. But…

The new problem comes to me - export to local storage does nothing. I mean there are no exceptions or dangerous logs but no files are saved to disk. Search through forum gives me this Python multiprocessing sem_open blocked in strict mode - #12 by jonata thread. I tried to use snapcraft-preload but has no luck :confused:

I need help.

2

Did you check that it is not being stored to the snap’s home directory in /home/user/snap/<snap-name>/current/... ?

3

Yup. The folder is empty. I’ve tried it on freshly installed Ubuntu 20.04 by the way. When I used the same snap on ElementaryOS it works very well and exports successfully.

4

Do you see any system journal denials with journalctl -e --no-pager | grep DENIED ?

1 Like
5

Oh, there’s a lot!

Most of them looks like:

авг 10 20:39:34 meamka-Standard-PC-i440FX-PIIX-1996 kernel: audit: type=1400 audit(1597081174.814:3232): apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/proc/2178/mounts" pid=2178 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
авг 10 20:39:34 meamka-Standard-PC-i440FX-PIIX-1996 audit[611]: USER_AVC pid=611 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.80" pid=2178 label="snap.norka.norka" peer_pid=2310 peer_label="unconfined"
авг 10 20:39:34 meamka-Standard-PC-i440FX-PIIX-1996 kernel: audit: type=1107 audit(1597081174.862:3233): pid=611 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.80" pid=2178 label="snap.norka.norka" peer_pid=2310 peer_label="unconfined"
авг 10 20:39:40 meamka-Standard-PC-i440FX-PIIX-1996 audit[2178]: AVC apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/proc/2178/mountinfo" pid=2178 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
авг 10 20:39:40 meamka-Standard-PC-i440FX-PIIX-1996 kernel: audit: type=1400 audit(1597081180.222:3235): apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/proc/2178/mountinfo" pid=2178 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
авг 10 20:39:40 meamka-Standard-PC-i440FX-PIIX-1996 kernel: audit: type=1400 audit(1597081180.222:3236): apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/proc/2178/mounts" pid=2178 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
авг 10 20:39:40 meamka-Standard-PC-i440FX-PIIX-1996 audit[2178]: AVC apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/proc/2178/mounts" pid=2178 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

But what can I do with this?

6

try:

$ sudo snap install snappy-debug
$ sudo journalctl --output=short --follow --all | sudo snappy-debug

then run your app from another terminal and watch the snappy-debug output, it makes suggestions about what to do where it can …

7

Well, the only suggestion it was made is “try to add hostname-control”. I’m not sure I have to do this, 'cause not yet enough experience in Linux development.

8

i’m surprised it didnt also suggest mount-observe, just add these to your plugs section in your snapcraft.yaml file … then after installing the snap connect them with:

sudo snap connect <your-snap-name>:hostname-control
sudo snap connect <your.snap-name>:mount-observe

that should make most of the denials go away …

1 Like
9

Uh, not yet…

meamka@meamka-Standard-PC-i440FX-PIIX-1996:~/Downloads$ snap connections norka
Interface                 Plug                    Slot                             Notes
content[gnome-3-34-1804]  norka:gnome-3-34-1804   gnome-3-34-1804:gnome-3-34-1804  -
content[gtk-3-themes]     norka:gtk-3-themes      gtk-common-themes:gtk-3-themes   -
content[icon-themes]      norka:icon-themes       gtk-common-themes:icon-themes    -
content[sound-themes]     norka:sound-themes      gtk-common-themes:sound-themes   -
dbus                      -                       norka:dbus-norka                 -
desktop                   norka:desktop           :desktop                         -
desktop-legacy            norka:desktop-legacy    :desktop-legacy                  -
gsettings                 norka:gsettings         :gsettings                       -
home                      norka:home              :home                            -
hostname-control          norka:hostname-control  :hostname-control                manual
mount-observe             norka:mount-observe     :mount-observe                   manual
network                   norka:network           :network                         -
opengl                    norka:opengl            :opengl                          -
wayland                   norka:wayland           :wayland                         -
x11                       norka:x11               :x11                             -

Even after connecting these plugs, I see the same messages:

= AppArmor =
Time: авг 10 22:17:24
Log: apparmor="DENIED" operation="open" profile="snap.norka.norka" name="/run/mount/utab" pid=3698 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Yet there are no more suggestions. And no files saved to local storage. :slightly_frowning_face:

10

well, you are down to one denial :slight_smile:

IIRC login-session-observe shoujld grant read access to the utab file

(none of the denials are seemingly related to your “write to disk” issues though but fixing them is part of the packaging work)