Expect snap can't run a tcl script

woodrow · May 3, 2019, 10:09am

Hi all,

I encountered a problem when I tried to use expect snap to run a tcl script which called snap login in order to download the private snap. The script is very simple and can be run on classic system with expect deb:

#!/snap/bin/expect -d (changed /usr/bin/expect on classic)
set timeout 60
spawn snap login MyEmail
expect "Password of \"MyEmail\": "
send "MyPassword\r"
expect "Login successful"

The permission error happened when this script was running:

woodrow-shen@localhost:~$ sudo ./test.sh 
expect version 5.45
argv[0] = expect  argv[1] = -d  argv[2] = ./test.sh  
set argc 0
set argv0 "./test.sh"
set argv ""
executing commands from command file ./test.sh
couldn't read file "./test.sh": permission denied
woodrow-shen@localhost:~$

Then check journalctl (under UC18):

May 03 09:54:22 localhost sudo[1247]: pam_unix(sudo:session): session closed for user root
May 03 09:54:25 localhost sudo[1252]: woodrow-shen : TTY=pts/0 ; PWD=/home/woodrow-shen ; USER=root ; COMMAND=./test.sh
May 03 09:54:25 localhost sudo[1252]: pam_unix(sudo:session): session opened for user root by woodrow-shen(uid=0)
May 03 09:54:25 localhost audit[1253]: AVC apparmor="DENIED" operation="open" profile="snap.expect.expect" name="/home/woodrow-shen/test.sh" pid=1253 comm="expect" requ
May 03 09:54:25 localhost sudo[1252]: pam_unix(sudo:session): session closed for user root
May 03 09:54:25 localhost kernel: audit: type=1400 audit(1556877265.325:18): apparmor="DENIED" operation="open" profile="snap.expect.expect" name="/home/woodrow-shen/te
May 03 09:54:27 localhost sudo[1267]: woodrow-shen : TTY=pts/0 ; PWD=/home/woodrow-shen ; USER=root ; COMMAND=/bin/journalctl
May 03 09:54:27 localhost sudo[1267]: pam_unix(sudo:session): session opened for user root by woodrow-shen(uid=0)

journalctl from classic:

May 3 18:04:37 woodrow-XPS-13-9380 kernel: [3221142.335539] audit: type=1400 audit(1556877877.555:12992): apparmor="DENIED" operation="open" profile="snap.expect.expect" name="/home/woodrow/test.sh" pid=5672 comm="expect" requested_mask="r" denied_mask="r" fsuid=0 ouid=1001

The testing environments are based on UC18 and classic system.
I also checked interfaces and looked like expect didn’t use any plug/slot, so not sure if I missed something I didn’t know. Any suggestion?

Thanks,

ogra · May 3, 2019, 10:32am

well, you want to access a script on your home … so expect would at least need the home interface (and have it connected) … try copying your script to /var/snap/expect/current/. If it works from there, a bug against the expect snap might be in order (though i’m not sure the home interface would actually allow execution of files loaded from there)

woodrow · May 3, 2019, 12:37pm

@ogra, thanks your reply, I just tried to execute the script under /var/snap/expect/current, and unfortunately there was still an error about apparmor:

expect version 5.45
argv[0] = expect  argv[1] = -d  argv[2] = ./test.sh
set argc 0
set argv0 "./test.sh"
set argv ""
executing commands from command file ./test.sh
spawn snap login MyEmail
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
couldn't execute "snap": permission denied
    while executing
"spawn snap login MyEmail"
    (file "./test.sh" line 3)

From journal log:

May 3 19:52:57 woodrow-XPS-13-9380 kernel: [3227641.910571] audit: type=1400 audit(1556884377.216:13001): apparmor="DENIED" operation="exec" profile="snap.expect.expect" name="/usr/bin/snap" pid=7534 comm="expect" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

(The script also failed to call lscpu/snap list etc. commands that might request the resources.)
I’m still thinking why some commands from core are denied by apparmor even if they’re builtin binary…

ogra · May 4, 2019, 9:05am

So it now properly execs your script …

the issue you hit now is that snapped binaries are not allowed to call the snap command …

the snap command is simply adding interactivity to snapd … what you could do is to use the super-privileged snapd-control interface and talk to snapd via REST api calls …

but note that a snap using the snapd-control interface can not be uploaded to the public store, it is reserved for brand stores where the store owner has full control over who might be using this interface and in what context.

woodrow · May 4, 2019, 5:24pm

@ogra, thanks the suggestions. Besides, I’d like to know who is maintainer of expect snap from Canonical? or Who can help to contact with maintainer?