Permission denied error when running a daemon


#1

I’m currently trying to make a snap for the pcsc-lite-daemon. The package works flawlessly when using “devmode” but i can’t make the daemon run when using strict confinement:

Mär 06 19:59:49 desktop audit[28118]: AVC apparmor="DENIED" operation="chmod" profile="snap.pcsc-lite.pcscd" name="/run/pcscd/" pid=28118 comm="pcscd" requested_mask="w" denied_mask="w" fsuid=0 o
Mär 06 19:59:49 desktop audit[28118]: AVC apparmor="DENIED" operation="mknod" profile="snap.pcsc-lite.pcscd" name="/run/pcscd/pcscd.pid" pid=28118 comm="pcscd" requested_mask="c" denied_mask="c" 
Mär 06 19:59:49 desktop audit[28118]: AVC apparmor="DENIED" operation="mknod" profile="snap.pcsc-lite.pcscd" name="/run/pcscd/pcscd.comm" pid=28118 comm="pcscd" requested_mask="c" denied_mask="c"
Mär 06 19:59:49 desktop pcsc-lite.pcscd[28118]: 00000000 pcscdaemon.c:697:main() cannot create /var/run/pcscd/pcscd.pid: Permission denied
Mär 06 19:59:49 desktop pcsc-lite.pcscd[28118]: 00000033 winscard_msg_srv.c:148:InitializeSocket() Unable to bind common socket: Permission denied
Mär 06 19:59:49 desktop pcsc-lite.pcscd[28118]: 00000003 pcscdaemon.c:722:main() Error initializing pcscd.
Mär 06 19:59:49 desktop pcsc-lite.pcscd[28118]: 00000004 pcscdaemon.c:816:clean_temp_files() Cannot remove /var/run/pcscd/pcscd.comm: No such file or directory
Mär 06 19:59:49 desktop pcsc-lite.pcscd[28118]: 00000004 pcscdaemon.c:822:clean_temp_files() Cannot remove /var/run/pcscd/pcscd.pid: No such file or directory
Mär 06 19:59:49 desktop systemd[1]: snap.pcsc-lite.pcscd.service: Main process exited, code=exited, status=1/FAILURE
Mär 06 19:59:49 desktop systemd[1]: snap.pcsc-lite.pcscd.service: Failed with result 'exit-code'.
Mär 06 19:59:49 desktop systemd[1]: snap.pcsc-lite.pcscd.service: Service hold-off time over, scheduling restart.
Mär 06 19:59:49 desktop systemd[1]: snap.pcsc-lite.pcscd.service: Scheduled restart job, restart counter is at 5.

Here is my apps-section for the daemon:

apps:
  pcscd:
    command: usr/sbin/pcscd --foreground --auto-exit
    daemon: simple
    plugs:
      - hardware-observe
      - network
      - network-bind

#2

Snaps cannot use chown because they don’t know what kind of users are available and because snapd doesn’t currently model the ability to introduce per-service users. For now it is best to adjust your code to avoid those calls, or, if posisble, to ignore the error.


#3

I understand. But what about the other errors?


#4

Your snap can’t write to /run/ and /var/run/ in strictly confined mode. Can you change the directory it uses with an environment variable maybe? If you can set it to something like $SNAP_DATA/var/run/, it should work.

If that’s not possible, you may be able to use layouts to map /var/run/pcscd to $SNAP_DATA, but I’m not 100% sure.


#5

typically apps should use the XDG_RUNTIME_DIR env variable to find /run …

try to set that var in your app entry in snapcraft.yaml to point to some writable location … if your binary follows standards it should pick that up and not try to write to /run (or the symlinked /var/run) anymore …


#6

Thanks for the answers. I’m trying to patch the daemon (pcsc-lite) so can use XDG_RUNTIME_DIR. The original source code uses a hard-coded directory (a “USE_IPC_DIR”-define).

Edit:

How can i create the directory “/run/user/0/snap.pcsc-lite” on startup or installation of the snap-package?


#7

Problem solved. Snap is now working as excepted. I’m closing this thread.

Edit:

The solution was to set the directory to “/run/snap.pcsc-lite”.