New interface to allow ptrace for WINE-based snaps?

n8marti · May 24, 2023, 5:15pm

I’ve tried to snap a few apps for my organization that are able to run under WINE. They tend to rely on .NET Framework. Invariably I get everything to work in devmode, but confinement blocks the apps from working properly. The blocker I have repeatedly seen is a call to System.Diagnostics.NtProcessManager.GetModuleInfos(), which apparently uses ptrace according to snappy-debug.

So I would love for there to be some kind of interface available that would allow a WINE-based app to handle this and similar ptrace-based calls. Is this even possible? Would anyone else benefit from this?

n8marti · May 24, 2023, 5:18pm

There has been previous discussion here, but it seems to have been Steam-specific.

n8marti · February 10, 2025, 2:27pm

Maybe the problem is broader than ptrace. I also get a failure with the wine call `System.Diagnostics.NtProcessManager.EnumProcessModulesUntilSuccess():

0168:err:eventlog:ReportEventW L"Description: The process was terminated due to an unhandled exception.\n"
0168:err:eventlog:ReportEventW L"Exception Info: System.ComponentModel.Win32Exception (5): Acc\00e8s refus\00e9.\r\n"
0168:err:eventlog:ReportEventW L"   at System.Diagnostics.NtProcessManager.EnumProcessModulesUntilSuccess(SafeProcessHandle processHandle, IntPtr[] modules, Int32 size, Int32& needed, Int32 filterFlag)\r\n"
0168:err:eventlog:ReportEventW L"   at System.Diagnostics.NtProcessManager.GetModules(Int32 processId, Boolean firstModuleOnly)\r\n"
0168:err:eventlog:ReportEventW L"   at System.Diagnostics.NtProcessManager.GetFirstModule(Int32 processId)\r\n"
0168:err:eventlog:ReportEventW L"   at LDLS4.OurApp.Main(String[] astrArgs)\n"

But snappy-debug doesn’t show any ptrace-related denials. Maybe that’s because this test was run with system-observe and system-trace interfaces connected. In fact, the only denial that seems to show up at about the same time as the crash is sched_setaffinity:

= Seccomp =
Time: 2025-02-10T15:2
Log: auid=1000 uid=1000 gid=1001 ses=4 subj=snap.oudedetai.logos pid=371344 comm="wineserver" exe="/snap/oudedetai/x1/bin/wineserver" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x79701016874b code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)

But its suggestion leads me to believe that it’s not really the issue.

n8marti · February 10, 2025, 2:30pm

Oh, no. I can re-confirm the ptrace denial if I run snappy-debug like this:

$ sudo journalctl --output=short --follow --all | sudo snappy-debug --only-snap=oudedetai

= Seccomp =
Time: Feb 10 15:28:41
Log: auid=1000 uid=1000 gid=1001 ses=4 subj=snap.oudedetai.logos pid=373939 comm="wineserver" exe="/snap/oudedetai/x1/bin/wineserver" sig=0 arch=c000003e 101(ptrace) compat=0 ip=0x760e26f260fd code=0x50000
Syscall: ptrace