No read from fifo device in snap packaged app

keshavnrj · July 4, 2019, 8:08am

I use FIFO device file where data is written using some process, data write gives no denials but when i try to read from fifo file apparmor block it, is there a interface already to get the permission to do this ?

reproduction : snap install olivia-test
snap run olivia-test.olivia
add two tracks , play first track and wait for EOF of track (here mpv will give EOF signal as tracks ends i catch that signal by reading fifo file and send playnext command). here the eof signal is blocked from reading by apparmor (see debug of snappy-debug.security scanlog for denials)
debug : sudo snappy-debug.security scanlog

https://github.com/keshavbhatt/olivia/issues/44
(in the source code of olivia radio.cpp is file where one might be interested to look)

chipaca · July 4, 2019, 8:13am

What does the denial look like?

keshavnrj · July 4, 2019, 4:35pm

= AppArmor =
    Time: Jul  3 04:01:32
    Log: apparmor="DENIED" operation="file_perm" profile="snap.olivia-test.olivia" name="/home/bulld/snap/olivia-test/114/.local/share/org.keshavnrj.ubuntu/Olivia/fifos/1562106609366.fifo" pid=21796 comm="socat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /home/bulld/snap/olivia-test/114/.local/share/org.keshavnrj.ubuntu/Olivia/fifos/1562106609366.fifo (read)

this is how the Denial look like

keshavnrj · July 4, 2019, 4:39pm

app runs perfectly fine in --devmode
i use socat to write data to fifo file and in non confined state the write gives me data i want, but if confined inside snap it refuses to read. I can confirm that i can write data to fifo (tested in other cases) but cannot read from it.

chipaca · July 8, 2019, 8:43am

Are you trying to read from a user’s fifo as root?

keshavnrj · July 8, 2019, 9:01am

Solved the issue by creating fifo file in /tmp directory instead of /home/user/snap/app/.local/share/

jdstrand · July 8, 2019, 8:26pm

I’m glad you got this working, but for future reference, the reason why it didn’t is because the object uid (ouid) if the fifo did not match the fsuid (typically the same as the euid) of the process accessing the fifo. The home interface requires ‘owner’ match, so because fsuid!=ouid, the access was denied. /tmp doesn’t require owner match, so it worked.

As an aside, you may want to look into why your fifo was created by a root-owned process and if you want non-root processes to access it without some sort additional safeguards since while with what you have other snaps won’t be to access the fifo, other non-snap processes will.

keshavnrj · July 8, 2019, 10:01pm

thanks for describing it @jdstrand but i didn’t wrote file with root . it was just mkfifo command. am still using the same command but the thing that i changed is the location of file. it was in home dir first and not its in /tmp .

jdstrand · July 8, 2019, 10:22pm

Something did since its ouid was 0. Perhaps you used sudo at some point or an errant chmod?