Is access to “/usr/bin” allowed in strict confinement? Are there interfaces that has to be connected to gain access to “/usr/bin”?
Actually I want to use some binaries (ex. kill, pidof) from system to snap. Please suggest other way possible, if executable access to /usr/bin is not allowed.
NOTE: I need to run snap in strict confinement only.
note that these paths are usually referring to your base snap at runtime … i.e. /usr/bin is whatever /usr/bin the base snap you use provides …
regarding certain access to particular binaries (if they are shipped inside the base snap, else your snap would have to ship them) you can use the snappy-debug tool to get suggestions for the interfaces your snap will need to use for the particular access …
“kill” is basic binary, It should be shipped without any issue…
I used snappy-debug snap, suggestion is
= AppArmor =
Time: Apr 19 08:25:31
Log: apparmor="DENIED" operation="exec" profile="snap.basic.execfile" name="/usr/sbin/killall5" pid=7413 comm="usb_composition" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/sbin/killall5 (exec)
Suggestions:
* adjust snap to ship 'killall5'
* adjust program to use relative paths if the snap already ships 'killall5'
But when I am trying to build snap with staging kill command, I am getting below error:
2023-04-19 08:40:34.554 Requested stage-packages: ['killall5:arm64']
2023-04-19 08:40:35.629 Marking killall5:arm64 (and its dependencies) to be fetched
2023-04-19 08:40:35.630 Stage package not found in part 'kill': killall5:arm64.
I am attaching my snapcraft.yaml for more reference:
Well, killall is not kill the kill command is actually in the base snap, killall is not (it is not really a standard command) and your app even calls killall5…
IIRC pkill is syntax wise closer to killall (and should be in the base snap too) perhaps you could use that…