Request for classic confinement for gradle

store-requests
1

Hi @reviewers ,

I’ve created a snap for gradle. I’d like to use classic confinement because of the following:

  • It’s a build tool which may require access to anywhere within the filesystem (i.e. building outside of home directory)
  • Gradle resolves user home to $HOME/.gradle instead of a path relative to the snap.
  • It spawns daemons for faster builds
1 Like
2

In general most users would keep code within their home-directory so I would have thought plugging home (and optionally removable-media) would be sufficient for most use-cases. Or does the snap need to access files within /usr/ etc for system-headers / libraries etc? Can you please outline specifically why access to home may not be sufficient?

personal-files can be used for access to $HOME/.gradle

Strict mode confinement should not preclude the use of long-running daemons. Again, if this is not working as expected can you please provide more details?

In general, gradle would fit into the category of compilers and as such would meet the requirements for classic confinement, however classic confinement snaps cannot be used on Ubuntu Core - so I am trying to make sure the requirements / trade-offs are understood before proceeding with this.

3

I guess the important question is: would a user of gradle expect to link their project against system libraries? That might not be an issue for cross compiling Android apps, but presumably that isn’t all people use gradle for.

4

I tried strict confinement with personel-files plugin and a few others. But gradle tries to spawn a (temporary) daemon and tries to reach a file in /proc. I also found myself adding network, network-bind, network-observe and system-files in order to make things work (currently I cannot be specific as I reverted and lost my changes – i’ll have to rework on it if necessary). Adding these requires manual connections (but I guess we can sort it out with additional threads, right?)

5

I’m not sure if I get it right. I currently use gradle’s binary distribution and not compile it from source. Why do you think they would link their projects against system libraries?

6

My comment was more directed at @alexmurray:

  • If you’re using gradle to cross compile a project for another platform (as you might with an Android project), then the set of libraries and headers available on the host system are not particularly interesting.
  • If you’re using gradle to build an application intended to run on the host system, then it’s not unreasonable to expect to be able to link against libraries found on the host system.

The first use case can probably work with strict confinement. The second would require classic confinement.

2 Likes
7

At this stage, it looks like strict confinement should be able to support the use-cases which you mention so let’s focus on getting that working with the appropriate plugs etc, and then once it is working as expected, we can look into whether to grant auto-connection for these as well.

Can you detail which file / paths in /proc were required since this may be able to be supported by an existing interface rather than system-files?

1 Like
8

Hi @alexmurray,

I’ve updated snapcraft.yml file for strict confinement here. It seems to be working but I think it’s a bit slower than the classic confinement version. (I’ll test more)

Also, I’ve seen the following logs which may require additional work:

dmesg output:

[ 7673.324075] audit: type=1400 audit(1595368559.575:1897): apparmor="STATUS" operation="profile_load" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.afda02b0.sshfs_server" pid=32154 comm="apparmor_parser"
[ 7673.330162] audit: type=1400 audit(1595368559.583:1898): apparmor="DENIED" operation="open" profile="multipass.snapcraft-gradle.afda02b0.sshfs_server" name="/etc/ssh/ssh_config" pid=32155 comm="sshfs_server" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 7673.428358] audit: type=1400 audit(1595368559.683:1899): apparmor="STATUS" operation="profile_remove" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.afda02b0.sshfs_server" pid=32157 comm="apparmor_parser"
[ 7689.307011] audit: type=1400 audit(1595368575.559:1912): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo" pid=32418 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319583] audit: type=1400 audit(1595368575.571:1913): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319586] audit: type=1400 audit(1595368575.571:1914): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319588] audit: type=1400 audit(1595368575.571:1915): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319589] audit: type=1400 audit(1595368575.571:1916): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0        
[ 7689.319590] audit: type=1400 audit(1595368575.571:1917): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319592] audit: type=1400 audit(1595368575.571:1918): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319593] audit: type=1400 audit(1595368575.571:1919): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319595] audit: type=1400 audit(1595368575.571:1920): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 7689.319608] audit: type=1400 audit(1595368575.571:1921): apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=32418 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
[ 8336.806554] audit: type=1400 audit(1595369223.059:1959): apparmor="STATUS" operation="profile_remove" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.qemu-system-x86_64" pid=925 comm="apparmor_parser"
[ 8337.000054] audit: type=1400 audit(1595369223.251:1962): apparmor="STATUS" operation="profile_load" profile="snap.multipass.multipassd" name="multipass.snapcraft-gradle.qemu-system-x86_64" pid=1004 comm="apparmor_parser"

some additional logs from snappy-debug:

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo" pid=31060 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= Seccomp =
Time: Jul 22 00:42:00
Log: auid=987201431 uid=987201431 gid=987200513 ses=3 pid=31117 comm=6A6172207472616E73666F726D7320 exe="/snap/gradle/x7/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" sig=0 arch=c000003e 93(fchown) compat=0 ip=0x7f4c7e252527 code=0x50000
Syscall: fchown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
9

@tunix - thanks for the update. Looking at the snapcraft.yaml, you can remove the read property for the personal-files declaration since write implies read so there is no need for both.

Regarding the denials, the existing system-observe interface provides access to the global cgroup cpu,cpuacct - @jdstrand thoughts on either adding the user.slice cgroup as well to this interface OR perhaps to the base profile? Similarly, the base profile also provides access to /sys/fs/cgroup/memory/memory.limit_in_bytes - could this also be extended to add the user’s login service group user.slice as well? This could then resolve these denials.

1 Like
10

@alexmurray - I started testing it for my daily use and faced a new issue. You can offload things like building docker images to gradle. But since it’s working in a strict confinement, it has no access to the programs installed on my host machine so I’m currently unable to use it for building docker images. Is there a plug for this? This is one of my use cases but people would probably need interactions with other software that I currently cannot think of.

I’ve removed read property for personal-files and added system-observe interface. (Is there a way to track progress for the suggestions you’ve made to @jdstrand btw?) Despite I added system-observe, I still see denial messages:

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo" pid=31060 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /snap/core/9665/usr/share/locale/tr/LC_MESSAGES/snappy.mo (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:41:02
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31060 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= Seccomp =
Time: Jul 22 00:42:00
Log: auid=987201431 uid=987201431 gid=987200513 ses=3 pid=31117 comm=6A6172207472616E73666F726D7320 exe="/snap/gradle/x7/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java" sig=0 arch=c000003e 93(fchown) compat=0 ip=0x7f4c7e252527 code=0x50000
Syscall: fchown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_period_us'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.shares'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes'

= AppArmor =
Time: Jul 22 00:43:00
Log: apparmor="DENIED" operation="open" profile="snap.gradle.gradle" name="/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us" pid=31268 comm="java" requested_mask="r" denied_mask="r" fsuid=987201431 ouid=0
File: /sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us (read)
Suggestion:
* adjust program to not access '/sys/fs/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us'
11

Add system-observe won’t fix this at the moment since it does not provide the required access - I was suggesting to @jdstrand that perhaps we could expand the scope of system-observe to include these extra paths but this would need to be done via an update to snapd and so would not be available until some possible future release of snapd.

Regarding the use of external binaries - this is not possible for strictly confined snaps. As I mentioned above, it really depends on the use-cases that you wish to support for gradle. It seems some are possible when it is strictly confined but others are likely only possible when using classic confinement. That is why I was trying to get the full set of requirements earlier before jumping into whether to go down the strict vs classic confinement path.

If this is an expected use-case, then the only option is classic confinement. Since gradle would fit within the known categories for classic confinement this would be suitable to be granted classic confinement - however know this does bring some drawbacks such as the inability to use such a snap on Ubuntu Core devices and possible incompatibilies between libraries on the host platform and between the snap.

So you need to think about these options and choose which you think is most appropriate for the snap given the various use-cases that you want it to be able to support.

1 Like
12

Hi @alexmurray,

I think the slowness I mentioned in my previous comments occurs when there is no daemon working and it spawns a new one. I’m not sure about the reason but it takes a lot longer to execute my commands compared to the classic version.

I think that docker is a very common and legitimate way of working with gradle. And I’m sure there are other plugins that may interact with other software installed on the same system. So I think we need to proceed with classic confinement.

Afaik Ubuntu Core devices are IoT devices (+ appliance) which (imo) doesn’t seem to fit with the audience of gradle. I don’t want to limit the possibilities of developers with confinement. (I think I wouldn’t want it for myself either)

13

Just found out that publishing artifacts on mavenLocal is problematic as well. publishToMavenLocal publishes artifacts to $HOME/.m2/repository but the strictly confined snap probably writes those artifacts into the snap’s home folder which is incorrect. There might be a env var to changed the path for this command but imo it’s hard to cover all of these cases.

14

As above, gradle fits into the category of compilers and so meets the requirements for classic confinement. The requirements for classic confinement are therefore understood - @advocacy can you please perform vetting of the publisher?

1 Like
15

There is something we can do. I haven’t decided precisely what yet, but added this to the list of policy updates for the upcoming 2.46 release.

@tunix - it sounds like the cgroup accesses are just causing noise in your logs. Can you confirm?

16

Note that there is a docker interface which gives access to the docker socket. Today you can use this when the docker snap is installed, but also see https://github.com/snapcore/snapd/pull/8789.

17

Yes, indeed. They’re just there but I’m unsure whether it’s causing any problems. gradle spawns new daemons once it starts and tries to reuse if there is an existing one. The initial daemon spawning seems to be slow but I’m not sure whether this is related or not.

18

I know there is a docker interface but I don’t want to integrate it as it’ll only be beneficial for some people. Like I wrote in previous messages, there might be other cases I’m missing so I think gradle should really use classic confinement.

19

Hi @alexmurray,

Do I need to do anything further? I’m not able to mention advocacy team. Is there an ETA for this process?

Thank you for your guidance!

20

@advocacy - ping, can you please perform publisher vetting?