I am creating a snap that runs xterm in a strict env (Ubuntu Core 20).
When installing it using --devmode
it works fine, since AppArmor/seccomp allows everything.
However, without --devmode
xterm fails in this way:
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.022079] < -warning- > xwayland: Failed to load any default cursor
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.022846] < - ERROR - > xwayland: No default cursor loaded
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.023402] <information> xwayland: XWayland is running
2021-06-22T12:15:48Z jigtools.xterm-service[12895]: xterm: Cannot chown /dev/pts/0 to 0,5: Operation not permitted
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.070832] < - ERROR - > xwayland: XCB error: no reply data
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.073834] < - debug - > mirserver: Handling Terminated from pid=12824
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.074339] <information> xwayland: Deiniting xwayland server
2021-06-22T12:15:48Z jigtools.xterm-service[12855]: [2021-06-22 12:15:48.174593] <information> xwayland: XWayland stopped
It seems the chown /dev/pts/0 is what makes it fail.
This is the snappy-debug log from that part:
= Seccomp =
Time: Jun 22 12:15:48
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12895 comm="xterm" exe="/snap/jigtools/x1/usr/bin/xterm" sig=0 arch=c000003e 116(setgroups) compat=0 ip=0x7f01f4e02e6b code=0x50000
Syscall: setgroups
Suggestion:
* adjust program to not use 'setgroups' (https://forum.snapcraft.io/t/seccomp-filtering-for-setgroups/2109)
= Seccomp =
Time: Jun 22 12:15:48
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12895 comm="xterm" exe="/snap/jigtools/x1/usr/bin/xterm" sig=0 arch=c000003e 92(chown) compat=0 ip=0x7f01f51724cb code=0x50000
Syscall: chown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'chown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)
Any idea how to solve this?
Is there an interface for /dev/pts/0 ? How to let xterm chmod that device?