Hello, I am trying to pack (testapp) a python script that connects GTK snaps to custom themes. The script runs a few shell commands which start with:
‘snap list’, ‘snap connections’ or ‘sudo snap connect/disconnect’
Everything works fine in --devmode, however, when I try to test the snap in strict mode I get:
/bin/sh: 1: snap: Permission denied /bin/sh: 1: sudo: Permission denied
The output from ‘sudo /snap/bin/snappy-debug.security scanlog testapp’ is the following:
= AppArmor = Time: May 8 18:39:57 Log: apparmor=“DENIED” operation=“exec” profile=“snap.testapp.testapp” name=“/snap/snapd/7264/usr/bin/snap” pid=12149 comm=“sh” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0 File: /snap/snapd/7264/usr/bin/snap (exec) Suggestions:
- adjust snap to ship ‘snap’
- adjust program to use relative paths if the snap already ships ‘snap’
= AppArmor = Time: May 8 18:40:32 Log: apparmor=“DENIED” operation=“exec” profile=“snap.testapp.testapp” name=“/usr/bin/sudo” pid=12204 comm=“sh” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0 File: /usr/bin/sudo (exec) Suggestions:
- adjust snap to ship ‘sudo’
- adjust program to use relative paths if the snap already ships ‘sudo’
I assume that I am not allowed to use ‘sudo’ or call other snaps from within a given snap in strict mode.
Is there a way around that? I tried with ‘confinement: classic’ but it does not work with ‘extensions: [gnome-3-28]’