Request for auto-connection for enonic


#21

Approved. Note you’ll still need to release it to a channel.


#22

Dear @reviewers,
Not sure if that’s the right place to ask, but I’m having troubles with home interface here:

1.enonic snap is invoked, creates a folder (i.e myproject) inside user home folder and puts a file named enonic.toml inside it
2. when enonic snap is run next time it tries to read that file but is denied permissions, although the file has 777 set

Therefore it looks to me that snap wrapper forbids that operation, but isn’t it the sole purpose of home interface ?
If not, how this can be achieved ?

Thanks in advance !


#23

Do you still have all the interfaces connected for your snap between the first and second invocation? What does snap connections enonic show?

Also, when you run the second time, do you see any denials in the system journal with journalctl -e --no-pager | grep DENIED?


#24

Nothing was done in regards to interfaces between the 2 invocations.

snap connections enonic prints out:

Interface       Plug                 Slot             Notes
home            enonic:home          :home            -
network         enonic:network       :network         -
network-bind    enonic:network-bind  :network-bind    -
personal-files  enonic:dot-enonic    :personal-files  -

journalctl -e --no-pager | grep DENIED prints out:

Aug 08 17:03:49 anatoly-HP-Spectre-x360-Convertible-15-ch0xx audit[25974]: AVC apparmor="DENIED" operation="open" profile="snap.enonic.enonic" name="/home/anatoly/workspace/enonic/projects/myproject/enonic.toml" pid=25974 comm="enonic" requested_mask="rc" denied_mask="rc" fsuid=0 ouid=1000
Aug 08 17:03:49 anatoly-HP-Spectre-x360-Convertible-15-ch0xx kernel: audit: type=1400 audit(1565273029.980:55): apparmor="DENIED" operation="open" profile="snap.enonic.enonic" name="/home/anatoly/workspace/enonic/projects/myproject/enonic.toml" pid=25974 comm="enonic" requested_mask="rc" denied_mask="rc" fsuid=0 ouid=1000

Ouch ! Am I correct that apparmour is the one to blame here ?


#25

This indicates that the file was created with owner uid 0, i.e. root and is being attempted to access by uid 1000, i.e. your normal user. Did you perhaps run the first command as sudo and the second one not as sudo?


#26

Spot on, @ijohnson !
It was vice versa actually, but that is likely the cause.
Can’t tell for sure now, because running enonic without sudo has some difficulties finding JAVA_HOME, but that is a whole new story.

Thanks a lot for super snappy and helpful responses !


#27

Ah yes, you’re correct it was created by your normal user and wasn’t accessible by root. If for some reason you do need to access the normal user’s $HOME from root, you can do so with the home plug’s read attribute set to all, like so:

plugs:
  home:
    read: all

However this will also require a store assertion (can be requested from this topic again).


#28

We fixed JAVA_HOME error and It now works like a charm everywhere we tested except linux mint !

Mint fails with the following journal entry when trying to execute server.sh file to start the web-server:

[  659.714519] audit: type=1400 audit(1568036215.389:83): apparmor="DENIED" operation="exec" profile="snap.enonic.enonic" name="/home/anatoly/.enonic/distributions/enonic-xp-linux-sdk-7.1.0-B3/bin/server.sh" pid=4298 comm="enonic" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

Have you seen that before @ijohnson ?


#29

AFAIK, I think that is expected because I think the personal-files interface is intended to allow reading and writing of files, not executing files from the dotfiles directory. @jdstrand is that accurate?


#30

That’s correct. The personal-files and system-files interfaces are designed to give read or read/write access to files/directories as opposed to creating new work directories and the like.

In this particular case, I would suggest that the snap create a symlink from ~/.enonic/distributions to $SNAP_COMMON/dot-eonic/distributions or similar.


#31

Thanks @ijohnson and @jdstrand !
Will make necessary adjustments to app and report back.


#32

Tried your suggestion with symlink but with not much luck :frowning:

Had to use $SNAP_USER_COMMON instead of $SNAP_COMMON though because the latter is owned by root.

Tried both hardlinking and softlinking $SNAP_USER_COMMON/dot-enonic to ~/.enonic.

Got following journal entry for a softlink (that did’t differ much from executing the bash script directly):

[23448.580537] audit: type=1400 audit(1568902184.524:384): apparmor="DENIED" operation="capable" profile="/snap/core/7713/usr/lib/snapd/snap-confine" pid=2820 comm="snap-confine" capability=4  capname="fsetid"
[23673.320116] audit: type=1400 audit(1568902409.264:385): apparmor="DENIED" operation="exec" profile="snap.enonic.enonic" name="/home/anatoly/.enonic/distributions/enonic-xp-linux-sdk-7.1.0/bin/server.sh" pid=3351 comm="enonic" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000

Also tried making a symlink to bash script directly that failed with similar error.

And here is what I got when trying to make a hardlink:

[24943.377804] audit: type=1400 audit(1568903679.263:436): apparmor="DENIED" operation="capable" profile="/snap/core/7713/usr/lib/snapd/snap-confine" pid=4807 comm="snap-confine" capability=4  capname="fsetid"
[24943.594068] audit: type=1400 audit(1568903679.479:437): apparmor="DENIED" operation="link" profile="snap.enonic.enonic" name="/home/anatoly/snap/enonic/common/dot-enonic" pid=4807 comm="enonic" requested_mask="xm" denied_mask="xm" fsuid=1000 ouid=1000 target="/home/anatoly/.enonic"

#33

Which direction are you creating the link? I think you try making a symlink from inside ~/.econic to $SNAP_USER_COMMON/dot-enonic, the other way around won’t work.


#34

I think I’m linking it the other way around because I want to execute script from /home/anatoly/.enonic/distributions/enonic-xp-linux-sdk-7.1.0/bin/server.sh.

So if I make ~/.enonic -> $SNAP_USER_COMMON/dot-enonic what will be the script path to execute ?


#35

I haven’t tried yet, but yes I think that should work