Latest snapcraft
changes the way LD_LIBRARY_PATH
is defined in the command wrappers. Now it is
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$SNAP/lib:$SNAP/usr/lib:$SNAP/lib/x86_64-linux-gnu:$SNAP/usr/lib/x86_64-linux-gnu"
export LD_LIBRARY_PATH=$SNAP_LIBRARY_PATH:$LD_LIBRARY_PATH
while previously it did not include $SNAP/lib
and $SNAP/lib/<arch>
. Due to this, I had to explicitly include the dynamic linker in the network-manager
snap, which was not previously needed. Also, some apparmor denials started to appear when running the service:
[ 3804.003697] audit: type=1400 audit(1528271878.010:336): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libuuid.so.1.3.0" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004200] audit: type=1400 audit(1528271878.010:337): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004328] audit: type=1400 audit(1528271878.010:338): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libnl-3.so.200.22.0" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004491] audit: type=1400 audit(1528271878.010:339): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libdl-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004605] audit: type=1400 audit(1528271878.010:340): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libm-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004712] audit: type=1400 audit(1528271878.010:341): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libpthread-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.004812] audit: type=1400 audit(1528271878.010:342): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libc-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.005029] audit: type=1400 audit(1528271878.010:343): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/librt-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.005079] audit: type=1400 audit(1528271878.010:344): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/librt-2.23.so" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 3804.005179] audit: type=1400 audit(1528271878.010:345): apparmor="DENIED" operation="open" profile="snap.network-manager.networkmanager" name="/snap/core/4650/lib/x86_64-linux-gnu/libz.so.1.2.8" pid=6951 comm="NetworkManager" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
For some reason, the dynamic loader is trying to load files from /snap/core
, while that path is not in LD_LIBRARY_PATH. The denials have no side effect, as in the end the dl loads the libraries from /lib/<arch>/
- which are those shipped by the core snap indeed. But, I would like to understand why this happens and how to get rid of the denials. An option is including all libraries inside the snap, but that increases quite a bit its size, so that will not be always an option.