I have developed a snap app and have used the devmode install option. I am now attempting to build and deploy with strict confinement. Below I have provided version info and Seccomp fault.
Can anyone direct me to tutorial to build policy overrides into a snap interface? I have seen it mentioned on https://docs.ubuntu.com/core/en/guides/intro/security but am relatively new to building interfaces.
Also, I have seen others have had issue with the setgroups call violation with Seccomp. I am not sure if this is still an outstanding issue.
My app does not specifically use a call to setgroups but is simply attempting to read the product serial number with the following system command:
sudo cat /sys/class/dmi/id/product_serial
=====================
version info:
Linux version 4.4.0-139-generic (buildd@lcy01-amd64-006) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #165-Ubuntu SMP Wed Oct 24 10:58:50 UTC 2018
snap 2.36.1
snapd 2.36.1
series 16
kernel 4.4.0-139-generic
Seccomp denial:
admin@CRMYB02:~$ sudo snappy-debug.security scanlog niagara
INFO: following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug.security scanlog
kernel.printk_ratelimit = 0
= Seccomp =
Time: Nov 29 03:04:15
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=7871 comm=“sudo” exe="/usr/bin/sudo" sig=0 arch=c000003e 116(setgroups) compat=0 ip=0x7f195c68cf09 code=0x50000
Syscall: setgroups
Suggestion:
- adjust program to not use ‘setgroups’ until per-snap user/groups are supported (https://launchpad.net/bugs/1446748)