How to execute binaries inside a Snap app

I have been going back and forth in Cannot publish an electron app for many days trying to figure out how to get my Electron app to work with Snap. I eventually moved from electron-forge to electron-builder, just for the Snap build, and did some workarounds to be able to build --destructive-mode and I now have a built Snap app published with the name swach.

However, as part of the Electron app, we bundle the scrot binary as part of electron-color-picker. When we try to execute it, it does not seem to have the permissions it needs to run under Snap.

Is there a way to whitelist binaries shipped with the app or do we need to somehow use a stage package instead or something?

This is where the scrot binary is called in electron-color-picker https://github.com/mockingbot/electron-color-picker/blob/master/source/linux/linux-scrot/index.js#L7. My first thought was perhaps we could make that path configurable, and ship scrot as a stage package in the Snap app, then switch the path out.

My next thought was we could add the existing bundled scrot from inside electron-color-picker to the `parts for the app or something. Perhaps something like:

parts:
  scrot:
    plugin: dump
    source: app/resources/app.asar.unpacked/node_modules/electron-color-picker/library/linux/linux-scrot/scrot

This is all purely speculation, as I am not very familiar with Snap, and I would love some help figuring out how to successfully get this binary to run please! Thanks in advance! :slight_smile:

What are the filesystem permissions on the scrot binary once you’ve built your snap? There is no “allow-list” nor “deny-list”; if a program exists inside your snap then you can call it from the context of your snap. The only limits are with interaction with the outside world via the confinement rules and the filesystem permissions allowing read or execute¹.

¹Note that the writable permission is not controlled via the relevant filesystem permission bit for files shipped in the snap package because the package is read-only anyway.

@daniel scrot takes screenshots, so it likely needs permissions for the outside world in some way. Here is the info from the previous post on permissions:

It appears the permissions on scrot are for root:

-rwxr-xr-x 1 root root 27928 May 19 13:46 /snap/swach/19/app/resources/app.asar.unpacked/node_modules/electron-color-picker/library/linux/linux-scrot/scrot

And it appears the run/user/1000/snap.swach where it saves the screenshot has these permissions:

drwx------ 4 rwwagner90 rwwagner90 100 May 19 14:04 snap.swach

I am not sure if they both need to be root, or both should be my user or what.

Is there a specific way you wanted me to check permissions? This was running ls -l on the files, but I’m unsure if those permissions even apply inside Snap, since of course this is executable directly.

In the previous post you recommended I run:

snap run --shell swach /snap/swach/current/app/resources/app.asar.unpacked/node_modules/electron-color-picker/library/linux/linux-scrot/scrot

I ran that and got cannot execute binary file. How might I allow Snap to execute this file?

Curious, from outside the snap, what is the output of file /snap/swach/current/app/resources/app.asar.unpacked/node_modules/electron-color-picker/library/linux/linux-scrot/scrot?

@jdstrand

/snap/swach/current/app/resources/app.asar.unpacked/node_modules/electron-color-picker/library/linux/linux-scrot/scrot: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a3f6c2a8ca69d878895beb573f65b2d9b5268fdf, stripped

@jdstrand is that what you were expecting to see?