Execute "kill" or any other binary in strict confinement

Is access to “/usr/bin” allowed in strict confinement? Are there interfaces that has to be connected to gain access to “/usr/bin”?

Actually I want to use some binaries (ex. kill, pidof) from system to snap. Please suggest other way possible, if executable access to /usr/bin is not allowed.

NOTE: I need to run snap in strict confinement only.

Thanks in Advance.

note that these paths are usually referring to your base snap at runtime … i.e. /usr/bin is whatever /usr/bin the base snap you use provides …

regarding certain access to particular binaries (if they are shipped inside the base snap, else your snap would have to ship them) you can use the snappy-debug tool to get suggestions for the interfaces your snap will need to use for the particular access …

“kill” is basic binary, It should be shipped without any issue…

I used snappy-debug snap, suggestion is

= AppArmor =
Time: Apr 19 08:25:31
Log: apparmor="DENIED" operation="exec" profile="snap.basic.execfile" name="/usr/sbin/killall5" pid=7413 comm="usb_composition" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
File: /usr/sbin/killall5 (exec)
Suggestions:
* adjust snap to ship 'killall5'
* adjust program to use relative paths if the snap already ships 'killall5' 

But when I am trying to build snap with staging kill command, I am getting below error:

2023-04-19 08:40:34.554 Requested stage-packages: ['killall5:arm64']
2023-04-19 08:40:35.629 Marking killall5:arm64 (and its dependencies) to be fetched
2023-04-19 08:40:35.630 Stage package not found in part 'kill': killall5:arm64.

I am attaching my snapcraft.yaml for more reference:

name: basic
base: core22
version: '2.0'
summary: summary
description: |
           a basic snap to demonstrate bin execution

grade: stable
confinement: strict

architectures:
  - build-on: [amd64, arm64]
    build-for: [arm64]

apps:
   kill:
    command: /usr/sbin/killall5
    plugs:
      - network-bind
      - home
   execfile:
    command: file.sh
    daemon: simple
    install-mode: disable
	
parts:
   kill:
    plugin: nil
    stage-packages:
      - killall5:${CRAFT_TARGET_ARCH}

   execfile:
    plugin: dump
    source: src/

Please do correct me, if I am doing something, please!

Well, killall is not kill :wink: the kill command is actually in the base snap, killall is not (it is not really a standard command) and your app even calls killall5…

IIRC pkill is syntax wise closer to killall (and should be in the base snap too) perhaps you could use that…

No no, I want to use kill command only…

Scenario:

I am executing a binary and then killing it using “kill -9 <binary>” from shell script which is part of snapcraft.yaml (file.sh)

so why do you call killall5 then ? :slight_smile:

$ sudo find /snap/core*/current/ -wholename '*bin/kill'
/snap/core18/current/bin/kill
/snap/core20/current/usr/bin/kill
/snap/core22/current/usr/bin/kill
/snap/core/current/bin/kill
/snap/core/current/usr/lib/klibc/bin/kill