I use FIFO device file where data is written using some process, data write gives no denials but when i try to read from fifo file apparmor block it, is there a interface already to get the permission to do this ?
reproduction : snap install olivia-test
snap run olivia-test.olivia
add two tracks , play first track and wait for EOF of track (here mpv will give EOF signal as tracks ends i catch that signal by reading fifo file and send playnext command). here the eof signal is blocked from reading by apparmor (see debug of snappy-debug.security scanlog for denials) debug : sudo snappy-debug.security scanlog
app runs perfectly fine in --devmode
i use socat to write data to fifo file and in non confined state the write gives me data i want, but if confined inside snap it refuses to read. I can confirm that i can write data to fifo (tested in other cases) but cannot read from it.
I’m glad you got this working, but for future reference, the reason why it didn’t is because the object uid (ouid) if the fifo did not match the fsuid (typically the same as the euid) of the process accessing the fifo. The home interface requires ‘owner’ match, so because fsuid!=ouid, the access was denied. /tmp doesn’t require owner match, so it worked.
As an aside, you may want to look into why your fifo was created by a root-owned process and if you want non-root processes to access it without some sort additional safeguards since while with what you have other snaps won’t be to access the fifo, other non-snap processes will.
thanks for describing it @jdstrand but i didn’t wrote file with root . it was just mkfifo command. am still using the same command but the thing that i changed is the location of file. it was in home dir first and not its in /tmp .