It turns out that is not gonna be easy as I though. I am struggling a little bit now working with strict mode. I am getting a ‘permission denied’ when running the app produced by a Unix socket the application tries to create when starting. it is using ‘@calibre-singleinstance-1000-GUI’ as socket name and Apparmor blocks it by default.
Oct 31 13:25:51 gpl-01 kernel: [ 5535.875825] audit: type=1400 audit(1604150751.198:5152): apparmor=“DENIED” operation=“bind” profile=“snap.calibre.calibre” pid=13630 comm=“calibre” family=“unix” sock_type=“stream” protocol=0 requested_mask=“bind” denied_mask=“bind” addr=“@calibre-singleinstance-1000-GUI”
For debugging purposes I tried to create the socket by hand from a Python interpreter inside the snap with the same name and, as expected, it failed. However, If I use ‘snap.calibre.calibre’ as name it works. I’ve been digging into the Calibre code and I found where is that socket name being defined (calibre/src/calibre/utils/lock.py at master · kovidgoyal/calibre · GitHub). I was hopping to find the possibility of overwritting the value via env var, for example, but sadly it is hard coded. The possibilities now are 3:
-
Research on how to configure the Snap plugs for allowing to bind a socket with that name. For now I’ve tried the plugs ‘network’, ‘network-bind’ and ‘network-observe’ + some hours of research on the internet with no luck.
-
Install Calibre using the source code (not the ‘compiled’ version I am installing) and then use gnu/patch or git to modify the function that is setting the socket name for matching with what Apparmor expects from snap. I don’t like this option as it adds complexity to the snapcraft.yml file and more stuff to maintain between versions.
-
Prepare a PR on the Calibre repo with a change that allows to overwrite that value. The codebase of Calibre is quite complex and doing this will take some time apart from the fact that your PR would require to be approved (which I doubt it would happen in a reasonable amount of time).
For now I am focusing on the point 1 but I ran out of ideas for the moment. 