Perl can't load libraries due to apparmor denial

Perl is in the core18 snap, and it’s accessible:

$ snap run --shell nextcloud.occ -c 'perl --help'
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

Usage: perl [switches] [--] [programfile] [arguments]
  -0[octal]         specify record separator (\0, if no argument)
  -a                autosplit mode with -n or -p (splits $_ into @F)
  -C[number/list]   enables the listed Unicode features
  -c                check syntax only (runs BEGIN and CHECK blocks)
  -d[:debugger]     run program under debugger
  -D[number/list]   set debugging flags (argument is a bit mask or alphabets)
  -e program        one line of program (several -e's allowed, omit programfile)
  -E program        like -e, but enables all optional features
  -f                don't do $sitelib/sitecustomize.pl at startup
  -F/pattern/       split() pattern for -a switch (//'s are optional)
  -i[extension]     edit <> files in place (makes backup if extension supplied)
  -Idirectory       specify @INC/#include directory (several -I's allowed)
  -l[octal]         enable line ending processing, specifies line terminator
  -[mM][-]module    execute "use/no module..." before executing program
  -n                assume "while (<>) { ... }" loop around program
  -p                assume loop like -n but print line also, like sed
  -s                enable rudimentary parsing for switches after programfile
  -S                look for programfile using PATH environment variable
  -t                enable tainting warnings
  -T                enable tainting checks
  -u                dump core after parsing program
  -U                allow unsafe operations
  -v                print version, patchlevel and license
  -V[:variable]     print configuration summary (or a single Config.pm variable)
  -w                enable many useful warnings
  -W                enable all warnings
  -x[directory]     ignore text before #!perl line (optionally cd to directory)
  -X                disable all warnings
  
Run 'perldoc perl' for more help with Perl.

However, confinement seems a bit too tight to actually do anything useful. Here’s an example failure:

snap run --shell nextcloud.occ -c "/usr/bin/perl /var/snap/nextcloud/22400/nextcloud/extra-apps/camerarawpreviews/vendor/exiftool/exiftool/exiftool -json -preview:all -FileType '/var/snap/nextcloud/common/nextcloud/data/admin/files/RAW_MINOLTA_7D_SRGB.MRW'"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Can't load '/usr/lib/x86_64-linux-gnu/perl-base/auto/File/Glob/Glob.so' for module File::Glob: /usr/lib/x86_64-linux-gnu/perl-base/auto/File/Glob/Glob.so: failed to map segment from shared object at /usr/lib/x86_64-linux-gnu/perl-base/XSLoader.pm line 96.
 at /usr/lib/x86_64-linux-gnu/perl-base/File/Glob.pm line 68.
Compilation failed in require at /var/snap/nextcloud/22400/nextcloud/extra-apps/camerarawpreviews/vendor/exiftool/exiftool/exiftool line 941.
BEGIN failed--compilation aborted at /var/snap/nextcloud/22400/nextcloud/extra-apps/camerarawpreviews/vendor/exiftool/exiftool/exiftool line 941.
Undefined subroutine &main::SetWindowTitle called at /var/snap/nextcloud/22400/nextcloud/extra-apps/camerarawpreviews/vendor/exiftool/exiftool/exiftool line 343.
END failed--call queue aborted at /var/snap/nextcloud/22400/nextcloud/extra-apps/camerarawpreviews/vendor/exiftool/exiftool/exiftool line 941.

The denial looks like:

[ 7617.384840] audit: type=1400 audit(1596130625.608:242): apparmor="DENIED" operation="file_mmap" profile="snap.nextcloud.occ" name="/usr/lib/x86_64-linux-gnu/perl-base/auto/File/Glob/Glob.so" pid=92696 comm="perl" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Is there a way to get this to work?

i do think perl in the base snap is a simple leftover oversight dependency from dpkg, iirc we only gurarantee bash and a minimal python to be in the base snap …

i’d actually use

and ship the required perl modules in the snap …
(in fact i did exactly that last weekend in: https://github.com/ogra1/gscriptor-snap/blob/master/snap/snapcraft.yaml in case you need some prior art to copy from)

Is that documented anywhere?

That solution doesn’t work for us I’m afraid, but good info for others, thanks!

not sure, i just remember it from some meeting discussions when core was originally crafted … maybe it changed though i still dont think having perl in there is actually intentional (dpkg hard-depends on perl via debconf iirc and my guess would rather be that it was missed to remove it)

Well, it is in the policy because, yes, perl is/was there due to various tools, but like shell and python on the system, it is an interpreter that could be used and the decision to expose it to snaps was deliberate (at the time). core18 is released and the policy allows perl in some capacity, so we should not remove it and I’ve taken a todo to fix this denial in the next batch of policy updates.

I do recall more recent conversations than the initial perl decision that shell and python are maybe only what we want to offer, but there hasn’t been any bugs or PRs to adjust the policy for this. The design of the fix is straightforward: only add perl stuff to the template if core, core18 or core20 (ie, new bases won’t get it), but there are implementation details and other architectural considerations we would need to work through and have roadmapped before this could be implemented. cc @pedronis

1 Like

Thank you @jdstrand, I appreciate the help. We’ll look forward to the policy updates.