Seccomp profile not compiling

I’m having trouble with developing a custom interface for my app, and I realize that the seccomp profile for my snap is not being recompiled after editing the respective *.src file.

I’m running into this error from snappy-debug:

= Seccomp =
Time: Apr 21 01:57:13
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=37063 comm="5" exe=2F6D656D66643A6767635F636C6F6E65643A2F70726F632F73656C662F657865202864656C6574656429 sig=0 arch=c000003e 260(fchownat) compat=0 ip=0x4b975a code=0x50000
Syscall: fchownat
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin:
* adjust program to not use 'fchownat'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)

Separately, my app’s daemon logs show this error:

... failed to chown /var/snap/<snapname>/current/<filepath> to uid/gid owner 111/118: lchown /var/snap/<snapname>/current/<filepath>: operation not permitted

I tried adding filters like fchownat and fchownat - - u:my_user g:my_group (my_user is a user that I expect to exist on the host system) to seccomp, but neither works. I suspected that the *.src seccomp profile wasn’t being compiled to .bin, so I removed .bin. The result was that my daemon hangs when I try to run. I can’t even shell into it using snap run --shell mysnap. Presumably, this is because the *.bin binary wasn’t recompiled.

How do I force the profile to be recompiled?

You need to recompile the .src file with

sudo /usr/lib/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.src /var/lib/snapd/seccomp/bpf/snap.$SNAP_NAME.bin
1 Like

Thank you! That solved my problem. I filed a bug report for some outdated info on the docs.

1 Like