Hi,
for learning and test purposes I am trying to start a binary from a snap programm withe the system call execlp.
I already added the following interfaces: system-observe, process-control, home, desktop and system-files with the read and write directories /usr (since the binary I want to start is in $PATH). I connected all of them. But still I get with snap-debuggy:
= AppArmor =
Time: 2024-11-04T11:0
Log: apparmor=“DENIED” operation=“open” class=“file” profile=“snap-update-ns.snap-path-abuse” name=“/proc/3311/maps” pid=3311 comm=“5” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
File: /proc/3311/maps (read)
Suggestion:
adjust program to not access ‘@{PROC}/@{pid}/maps’
Hi,
interestingly my program seems to work, when I run snap run --shell program ; but when I try to run it regularly it doesnt find the file I want to run. Also I tried execve, to exclude problems with the $PATH Variable, same story.
Note that snaps run within a sandbox, so the contents of /usr/bin, /bin, etc will look different within the sandbox compared to outside. In this case, it isn’t an issue of being allowed to use execve/execlp: the binary you want to call doesn’t exist as far as the snap is concerned.
If there is a particular binary you want to call, you could include it in your snap. If you want to be able to call arbitrary binaries, that won’t easily fit within the strict confinement model for snaps.