Seccomp - syscall: chown & bcompare hangs in strict confinement

mmtrt · February 22, 2018, 5:04pm

pretty much stuck here

Denials

= AppArmor =
Time: Feb 22 21:19:48
Log: apparmor="DENIED" operation="open" profile="snap.bcompare.bcompare" name="/etc/xdg/Trolltech.conf" pid=21249 comm="BCompare" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /etc/xdg/Trolltech.conf (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON

= Seccomp =
Time: Feb 22 21:20:36
Log: auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=21249 comm="BCompare" exe="/snap/bcompare/x1/usr/lib/beyondcompare/BCompare" sig=31 arch=c000003e 92(chown) compat=0 ip=0x426177 code=0x0
Syscall: chown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'chown'

last call of trace

[pid 21249] chown("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", 1000, 1000 <unfinished ...>

last few lines of trace

[pid 21249] write(3, "\1\0\0\0\0\0\0\0", 8) = 8
[pid 21249] stat("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", {st_mode=S_IFREG|0644, st_size=325, ...}) = 0
[pid 21249] access("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", W_OK) = 0
[pid 21249] gettimeofday({1519316436, 400367}, NULL) = 0
[pid 21249] utimes("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", [{1519316436, 0}, {1519316436, 0}]) = 0
[pid 21249] stat("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", {st_mode=S_IFREG|0644, st_size=325, ...}) = 0
[pid 21249] open("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml.tmp", O_RDWR|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 11
[pid 21249] lseek(11, 0, SEEK_CUR)      = 0
[pid 21249] lseek(11, 0, SEEK_END)      = 0
[pid 21249] lseek(11, 0, SEEK_SET)      = 0
[pid 21249] readlink("/proc/self/exe", "/snap/bcompare/x1/usr/lib/beyond"..., 4095) = 48
[pid 21249] readlink("/proc/self/exe", "/snap/bcompare/x1/usr/lib/beyond"..., 4095) = 48
[pid 21249] lseek(11, 0, SEEK_SET)      = 0
[pid 21249] write(11, "<?xml version=\"1.0\" encoding=\"UT"..., 384) = 384
[pid 21249] close(11)                   = 0
[pid 21249] stat("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml.bak", {st_mode=S_IFREG|0644, st_size=204, ...}) = 0
[pid 21249] gettimeofday({1519316436, 401098}, NULL) = 0
[pid 21249] stat("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml.bak", {st_mode=S_IFREG|0644, st_size=204, ...}) = 0
[pid 21249] open("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BC4_voSsuo", O_RDWR|O_CREAT|O_EXCL, 0600) = 11
[pid 21249] close(11)                   = 0
[pid 21249] unlink("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BC4_voSsuo") = 0
[pid 21249] rename("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", "/home/mmtrt/snap/bcompare/x1/.config/bcompare/BC4_voSsuo") = 0
[pid 21249] rename("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml.tmp", "/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml") = 0
[pid 21249] lstat("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BC4_voSsuo", {st_mode=S_IFREG|0644, st_size=325, ...}) = 0
[pid 21249] chmod("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", 0100644) = 0
[pid 21249] chown("/home/mmtrt/snap/bcompare/x1/.config/bcompare/BCState.xml", 1000, 1000 <unfinished ...>
[pid 21221] <... wait4 resumed> 0x7ffd34c160cc, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
[pid 21221] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=22120, si_uid=1000} ---

full trace file

lucyllewy · February 22, 2018, 5:25pm

It looks like your app is trying to do an “atomic replace” of the BCState.xml file. Annoyingly it seems that all examples of such an operation include chowning the file to match the original ownership (without checking whether it really needs changing). Currently chown is banned by seccomp as you discovered. The only potential solution is to try using the snapcraft-preload as the log suggested. To do that, you need to add into your part’s after: an entry for snapcraft-preload and add snapcraft-preload onto your app’s command:

parts:
  my-part:
    after: [snapcraft-preload]
    ...

apps:
  my-app:
    command: snapcraft-preload $SNAP/usr/bin/my-real-app
    ...

mmtrt · February 22, 2018, 6:17pm

I already tried this solution posted by you here on some other thread and again I tried this did not do any good same thing.

github.com

mmtrt/bcompare/blob/master/snap/snapcraft.yaml

name: bcompare
version: latest
version-script: cat $SNAPCRAFT_STAGE/version
summary: bcompare is a powerful time-saving utility for comparing files & folders.
description: |
 bcompare is a powerful time-saving utility for comparing files and
 folders.
 Use it to manage source code, keep folders in sync, compare program output,
 and validate copies of your data.  bcompare can create a snapshot of a
 live directory structure, and compare it against the live copy at a later
 date.
 bcompare helps you analyze differences in detail and carefully reconcile
 them.  It commands a wide range of file and text operations, as well as script
 commands for automating tasks.

grade: stable
confinement: strict
architectures:
  - build-on: amd64
  - build-on: i386

This file has been truncated. show original