Classic confinement on atom, yet still getting denials?!

@jdstrand, can you take a look at confinement in relation to classic (that’s an app installed using classic confinement, not the ubuntu core “classic mode”), which shouldn’t be confined at all AFAIUI? Running atom I get denials from apparmor when I try to use Facebook’s “Nuclide” plugin in conjunction with the Javascript typechecker called “Flow” (again, from Facebook):

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" pid=3488 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" name="/dev/shm/.org.chromium.Chromium.iY5a7W" pid=3488 comm="snap-confine" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
File: /dev/shm/.org.chromium.Chromium.iY5a7W (write)
Suggestions:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" name="/dev/shm/.org.chromium.Chromium.9TVQDZ" pid=3488 comm="snap-confine" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
File: /dev/shm/.org.chromium.Chromium.9TVQDZ (write)
Suggestions:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" name="/dev/shm/.org.chromium.Chromium.4niHa2" pid=3488 comm="snap-confine" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
File: /dev/shm/.org.chromium.Chromium.4niHa2 (write)
Suggestions:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" name="/dev/shm/.org.chromium.Chromium.7SMBQ4" pid=3488 comm="snap-confine" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
File: /dev/shm/.org.chromium.Chromium.7SMBQ4 (write)
Suggestions:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

= AppArmor =
Time: Apr 12 03:44:52
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" name="/dev/shm/.org.chromium.Chromium.LwUPca" pid=3488 comm="snap-confine" requested_mask="ra" denied_mask="ra" fsuid=1000 ouid=1000
File: /dev/shm/.org.chromium.Chromium.LwUPca (write)
Suggestions:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

Ooh ooh I know this one, it’s the same thing I was complaining about in Snapd 2.32 breaks live-server installer

OK, so looking through your post I see it’s about a classic snap invoking another snap. In my case I’ve got flow installed in my home directory but it’s a javascript/nodejs script which is using nodejs from the node snap rather than installed through apt.

another snap having similar issues: node.

Trigger it by running:

sudo snap install node
sudo yarn global add npm # required for the next step
sudo npm install -g yo # fails to run the yeoman-doctor

Basically it seems that node is unable to call itself in a subprocess. The script above will run npm and within the yeoman (yo) installation will attempt to start the command npm --version in a subprocess. This attempt is hitting apparmor denials similar to atom running flow. The npm command is interpreted by node:

= AppArmor =
Time: Apr 13 00:19:14
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" pid=4550 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none

= AppArmor =
Time: Apr 13 00:19:14
Log: apparmor="DENIED" operation="file_inherit" profile="/snap/core/4443/usr/lib/snapd/snap-confine" pid=4557 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none
1 Like

Right, this is the issue discussed in Snapd 2.32 breaks live-server installer. I discussed roadmap items here that will allow this to work. This work is already started but it will be a while yet before it is available for snapd to use.

@jdstrand - I guess this issue is still not resolved in 2.48, right? I use neovim & nodejs/npm as snaps. Although both are unconfined, neovim cannot find nodejs provider. And even if it does (with the help of a config) it cannot execute its check with npm info neovim --json. I see the following errors within the logs:

= AppArmor =
Time: Dec 28 01:56:25
Log: apparmor="DENIED" operation="file_inherit" profile="/usr/lib/snapd/snap-confine" pid=3720981 comm="snap-confine" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none

You can follow this probably related PR: https://github.com/snapcore/snapd/pull/10029