Necessary Interfaces for use of execve / execlp

Hi, for learning and test purposes I am trying to start a binary from a snap programm withe the system call execlp. I already added the following interfaces: system-observe, process-control, home, desktop and system-files with the read and write directories /usr (since the binary I want to start is in $PATH). I connected all of them. But still I get with snap-debuggy: = AppArmor = Time: 2024-11-04T11:0 Log: apparmor=“DENIED” operation=“open” class=“file” profile=“snap-update-ns.snap-path-abuse” name=“/proc/3311/maps” pid=3311 comm=“5” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0 File: /proc/3311/maps (read) Suggestion:

  • adjust program to not access ‘@{PROC}/@{pid}/maps’

followed by a list of ==Seccomp==

profile=“snap-update-ns.snap-path-abuse” indicates a separate profile applied to snap-update-ns helper. Not sure why you observe that as the fix landed almost 9 months ago in interfaces/apparmor: update apparmor template of s-u-n for changes in Go · canonical/snapd@97c061f · GitHub and is available since 2.62.

What version of snapd do you have in the system?

Hi, that’s my present snap:

snap 2.65.3+24.04 snapd 2.65.3+24.04 series 16 ubuntu 24.04 kernel 6.8.0-48-generic

Hi, interestingly my program seems to work, when I run snap run --shell program ; but when I try to run it regularly it doesnt find the file I want to run. Also I tried execve, to exclude problems with the $PATH Variable, same story.

Note that snaps run within a sandbox, so the contents of /usr/bin, /bin, etc will look different within the sandbox compared to outside. In this case, it isn’t an issue of being allowed to use execve/execlp: the binary you want to call doesn’t exist as far as the snap is concerned.

If there is a particular binary you want to call, you could include it in your snap. If you want to be able to call arbitrary binaries, that won’t easily fit within the strict confinement model for snaps.