[DENIED] xterm access to /dev/pts/0

I am creating a snap that runs xterm in a strict env (Ubuntu Core 20).

When installing it using --devmode it works fine, since AppArmor/seccomp allows everything.
However, without --devmode xterm fails in this way:

2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.022079] < -warning- > xwayland: Failed to load any default cursor
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.022846] < - ERROR - > xwayland: No default cursor loaded
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.023402] <information> xwayland: XWayland is running
2021-06-22T12:15:48Z jigtools.xterm-service[12895]: xterm: Cannot chown /dev/pts/0 to 0,5: Operation not permitted
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.070832] < - ERROR - > xwayland: XCB error: no reply data
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.073834] < - debug - > mirserver: Handling Terminated from pid=12824
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.074339] <information> xwayland: Deiniting xwayland server
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.174593] <information> xwayland: XWayland stopped

It seems the chown /dev/pts/0 is what makes it fail.

This is the snappy-debug log from that part:

= Seccomp =
Time: Jun 22 12:15:48
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12895 comm="xterm" exe="/snap/jigtools/x1/usr/bin/xterm" sig=0 arch=c000003e 116(setgroups) compat=0 ip=0x7f01f4e02e6b code=0x50000
Syscall: setgroups
Suggestion:
* adjust program to not use 'setgroups' (https://forum.snapcraft.io/t/seccomp-filtering-for-setgroups/2109)

= Seccomp =
Time: Jun 22 12:15:48
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12895 comm="xterm" exe="/snap/jigtools/x1/usr/bin/xterm" sig=0 arch=c000003e 92(chown) compat=0 ip=0x7f01f51724cb code=0x50000
Syscall: chown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'chown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)

Any idea how to solve this?
Is there an interface for /dev/pts/0 ? How to let xterm chmod that device?

have you tried the preload hack to intercept the chown call that is linked in the output (i assume your xterm will run as a service anyway in the end, so it will be root and not need to chown)

I did not try that, but will definitely do that.
Hopefully it works since my xterm binary is already being wrapped by the usr/local/bin/x11_kiosk_launch.
Thanks for the tip!

I have tried the snapcraft-preload trick, like this:

2021-06-23T07:33:00Z jigtools.jigtools-service[7181]: + exec /snap/jigtools/x1/usr/local/bin/x11_kiosk_launch /snap/jigtools/x1/bin/snapcraft-preload /snap/jigtools/x1/usr/bin/xterm

But the funny thing is, chown still seems go pass-through:

= Seccomp =
Time: Jun 23 07:33:00
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=7252 comm="xterm" exe="/snap/jigtools/x1/usr/bin/xterm" sig=0 arch=c000003e 92(chown) compat=0 ip=0x7fc56694b4cb code=0x50000
Syscall: chown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'chown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)