I have an existing snap in the store for installing fzf, a command-line fuzzy finder.
Currently when executing the snap without any options, it defaults to executing a find command:
set -o pipefail; command find -L . -mindepth 1 ( -path ‘/.’ -o fstype ‘sysfs’ -o fstype ‘devfs’ -o fstype ‘devtmpfs’ -o fstype ‘proc’ ) -prune -o -type f -print -o -type L …
Complaining that it wasn’t able to execute that because of strict confinements and not having any plugs specified.
After discovering the snappy-debug snap, I decided to give it a try and indeed discovered some confinement issues:
$ snappy-debug
INFO: Following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
sysctl: permission denied on key ‘kernel.printk_ratelimit’
= AppArmor =
Time: Nov 21 11:10:18
Log: apparmor=“DENIED” operation=“open” profile=“snap.fzf-carroarmato0.fzf” name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=7733 comm=“fzf” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /sys/kernel/mm/transparent_hugepage/hpage_pmd_size (read)
Suggestion:
- adjust program to not access ‘/sys/kernel/mm/transparent_hugepage/hpage_pmd_size’
= AppArmor =
Time: Nov 21 11:10:18
Log: apparmor=“DENIED” operation=“open” profile=“snap.fzf-carroarmato0.fzf” name="/proc/7810/mountinfo" pid=7810 comm=“find” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
File: /proc/7810/mountinfo (read)
Suggestions:
- adjust program to not access ‘@{PROC}/@{pid}/mountinfo’
- add ‘mount-observe’ to ‘plugs’
= AppArmor =
Time: Nov 21 11:10:18
Log: apparmor=“DENIED” operation=“open” profile=“snap.fzf-carroarmato0.fzf” name="/proc/7810/mounts" pid=7810 comm=“find” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
File: /proc/7810/mounts (read)
Suggestions:
- adjust program to not access ‘@{PROC}/@{pid}/mounts’
- add one of ‘mount-observe, network-control’ to ‘plugs’
= AppArmor =
Time: Nov 21 11:10:18
Log: apparmor=“DENIED” operation=“open” profile=“snap.fzf-carroarmato0.fzf” name="/proc/7810/mountinfo" pid=7810 comm=“find” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
File: /proc/7810/mountinfo (read)
Suggestions:
- adjust program to not access ‘@{PROC}/@{pid}/mountinfo’
- add ‘mount-observe’ to ‘plugs’
= AppArmor =
Time: Nov 21 11:10:18
Log: apparmor=“DENIED” operation=“open” profile=“snap.fzf-carroarmato0.fzf” name="/proc/7810/mounts" pid=7810 comm=“find” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
File: /proc/7810/mounts (read)
Suggestions:
- adjust program to not access ‘@{PROC}/@{pid}/mounts’
- add one of ‘mount-observe, network-control’ to ‘plugs’
I added the following in my snapcraft.yml file and updated the snap, but apparently the output of snappy-debug is the same.
apps:
fzf:
command: fzf
plugs:
- mount-observe
- home
I don’t know if this is a bug, or what else I could try for making this work.
$ snap --version
snap 2.42.1
snapd 2.42.1
series 16
ubuntu 19.10
kernel 5.3.0-23-generic