I’m the developer of jape, a formal logic proof editor which uses java to provide a GUI and OCaml to provide a proof-step engine. (see rbornat/jape on github). I’m trying to package jape as a snap. The snap contains a jre, built using jlink and the JDK 11 from adoptopenjdk. It commences by calling a class in the jre.
To build the snap I had already to include build-attributes: [keep-execstack] because the JIT compiler (and another library, forgotten what) needs it.
The snap works with --devmode and --dangerous. I’ve told it to connect to personal-files so it can get at ~/.java, and connected to :home. So far so good.
But the jre’s garbage collector makes a lot of access to system files, shown to me by snappy-debug. For example, it starts with
= AppArmor =
Time: Aug 14 18:49:17
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="truncate" profile="snap.jape.jape" name="/proc/40869/coredump_filter" pid=40869 comm="java" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/40869/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_pattern" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_pattern (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_pattern'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/sys/kernel/core_uses_pid" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/sys/kernel/core_uses_pid (read)
Suggestion:
* adjust program to not access '@{PROC}/sys/kernel/core_uses_pid'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/proc/1/cgroup" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /proc/1/cgroup (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/cgroup'
and later it spends lots of time reading stuff about memory
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.limit_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.limit_in_bytes'
= AppArmor =
Time: Aug 14 18:49:18
Log: apparmor="ALLOWED" operation="open" profile="snap.jape.jape" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.usage_in_bytes" pid=40869 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.usage_in_bytes (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/memory.usage_in_bytes'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/memory.usage_in_bytes'
I’m at a loss to see how to make this a snap. The system-files interface says the snap mustn’t look at /etc or /proc; the layout mechanism doesn’t like linking to proc/1/cgroup (which is all I’ve tried so far), and I would have to somehow provide run-time uid and pid values to describe what’s going on. Yet the snapcraft documentation for java doesn’t hint at any of these difficulties.
I’m running ubuntu 20.04 on VirtualBox inside Macos 10.15; all the Ubuntu software is up-to-date.
Help?