I suspect that snapcraft’s support for stripping execstack only works on the native architecture - since in this case metasploit includes binaries for other architectures that are non-amd64 then I don’t think it will be able to strip that itself. For now I have manually approved the various revisions but note that every future upload of your snap to the store will likely still get blocked for manual revision whilst these problematic files are still there. There are a number of ways this can be dealt with:
- Stick with the status quo and accept that each upload will get blocked and require manual intervention from the reviewers team
- Remove these files from the snap via something like the
primedirective for the associatedpartwith something like the following, but obviously then these will not be available for the snap to use and so will reduce its functionality a bit:
prime:
# remove files with execstack to keep review-tools happy
- -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mips-linux-muslsf/bin/mettle
- -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mips-linux-muslsf/bin/sniffer
- -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mipsel-linux-muslsf/bin/mettle
- -opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.18/build/mipsel-linux-muslsf/bin/sniffer
- Manually run
execstack --clear-execstackon the affected files during the build so that hopefully this can remove this property and allow them to pass automated review (but note this is likely what snapcraft is already doing, which it seems is not working so this likely will also not actually work) - and I suspect this may then actually break the functionality of these libraries since they are likely execstack for a reason. - Request to have an override added to the review-tools for the snap so that it can pass automated review
Thanks