I got errors as bellow when i run my snap package.
To resolve this problem, i tried the way mentioned in
but still failed.
Is there any interface for this?
= Seccomp =
Time: Aug 26 08:17:44
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=776 comm=“myexample” exe="/snap/demo/x1/bin/myexample" sig=0 arch=40000028 277(mq_timedreceive) compat=0 ip=0xb6de9036 code=0x50000
Syscall: mq_timedreceive
Hi,
Please recheck /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.src and make sure that mq_timedreceive is uncommented. If it is commented, uncomment and recompile the profile binary as follows.
sudo /usr/lib/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.src /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.bin
For avoiding Apparmor violation, need to add msg queue name in /var/lib/snapd/apparmor/profiles/snap.$snap_name.$command
Eg:
/msgq-name rw,
Use below command to reload apparmor policy.
sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.$snap_name.$command
Refer to https://snapcraft.io/docs/debug-snaps for more info.
I could not find any snap interface for posix message queue.
Also did not get any specific reason for not allowing the posix message queue within snap.
here you could simply use a System Files interface instead of hacking the rules directly … (this will indeed not help with the seccomp side of things, that hack is still needed)
Thanks. I missed “sudo apparmor_parser …” and that was why it not worked before.
Hi @ogra,
system-files interface did not work for me during msg-queue create/write operation.
Was getting Apparmor violation even after adding below configuration in yaml file.
plugs:
config-queue-access:
interface: system-files
read:
- /msgq-name
write:
- /msgq-name
sudo snap connect myapp:config-queue-access
system-files interface adds below lines in apparmor policy.
“/msgq-name{,/,/****}” rk,
“/msgq-name{,/,/**}” rwkl,
But still AppArmor throws violation.
= AppArmor =
Time: Aug 27 10:45:50
Log: apparmor=“DENIED” operation=“open” profile=“snap.example” name="/msgq-name" pid=31504 comm=“example” requested_mask=“wrc” denied_mask=“wrc” fsuid=1000 ouid=1000
File: /msgq-name (write)
Suggestion:
adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
AppArmor allows message queue create/write when below line added to policy file.
/msgq-name rw,
Let me know If I missed any configuration
well, does your snap actually try to create that file on the fly ?
Yes. Posix message queue API/syscall “mq_open” does that for the first time as part of message queue creation.
and are you root or use sudo (to gain rw privs for /) when starting the snap ?
Not using sudo (root user). works in normal user mode once required seccomp and apparmor policy in place.
To wok in sudo mode, need to connect snap with log-observe interface (to get dac_override capability).