the denial is not related to caps but trying to create a file under /dev/shm … when running snappy-debug on the system alongside the snap it should have told you about this …
there is a new shared-memory interface in snapd 2.55.x (currently in the candidate channel) that is able to give you a private and fully writable /dev/shm for the snap and should solve your problem …
inside the foreigen-hardware where i want to run my snap to i have a run.sh as command in the snap:
run.sh content:
#!/bin/sh
echo We are here: $SNAP/
echo "Set capabilities for SICK AppEngine binary and make it executable"
setcap cap_net_bind_service,CAP_SYS_NICE,cap_ipc_lock,cap_net_raw+ep $SNAP/AppEngine
chmod +x $SNAP/AppEngine
echo "Run AppEngine"
$SNAP/AppEngine -config $SNAP/userconfig.yml
an the output i get:
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC We are here: /snap/appengine-snap/x1/
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC Set capabilities for SICK AppEngine binary and make it executable
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.871206 +0000 UTC AVC apparmor=“DENIED” operation=“exec” profile=“snap.appengine-snap.app-engine” name="/usr/sbin/setcap" pid=686877 comm=“run.sh” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.872251 +0000 UTC AVC apparmor=“DENIED” operation=“exec” profile=“snap.appengine-snap.app-engine” name="/usr/sbin/setcap" pid=686877 comm=“run.sh” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.873628 +0000 UTC /snap/appengine-snap/x1/run.sh: 5: setcap: Permission denied
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.879704 +0000 UTC chmod: changing permissions of ‘/snap/appengine-snap/x1/AppEngine’: Read-only file system
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.880742 +0000 UTC Run AppEngine
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.88111 +0000 UTC audit: type=1400 audit(1649838526.860:286268): apparmor=“DENIED” operation=“exec” profile=“snap.appengine-snap.app-engine” name="/usr/sbin/setcap" pid=686877 comm=“run.sh” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.881247 +0000 UTC audit: type=1400 audit(1649838526.870:286269): apparmor=“DENIED” operation=“exec” profile=“snap.appengine-snap.app-engine” name="/usr/sbin/setcap" pid=686877 comm=“run.sh” requested_mask=“x” denied_mask=“x” fsuid=0 ouid=0
unrelated to have the permission to write files, what about this, i need to set teh caps inside the foreigen hardware
you don’t even get to execute setcap here (which is probably why you don’t have any CAP related denials yet), your snap should ship the setcap command instead of trying to call it from the host …
Allreight, but what you mean with “your snap should ship the setcap” ? Iam completely new in SNAP and noob linux user.
Can give an example, or explaniation!?
but after i added libcap to the stage-packaged i get the error
2022-04-19T10:55:48Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 10:55:48.131218 +0000 UTC unable to set CAP_SETFCAP effective capability: Operation not permitted
so is there no other option got get an workaorund?
i guess to gain the CAP_SETFCAP capability we’d need to extend some (or add a new) interface, perhaps @alexmurray or @emitorino have an idea or hint here how risky that is …
there is no interface providing you permission to set that capability … do you see more denials in your journal when setcap runs ? also, did you run snappy-debug alongside your app to see if it has any suggestions ?
snappy-debugshould tell you which interface is suitable for that … (i’d assume it is process-control but that is just a guess, snappy-debug will know for sure)
Question, my app contains a tcp server and listen to special port 2122. When is install the snap in devmode i can connect/find to this port… but in non-devmode i cant… is there a Snap portfording or a firewall mechanims!? the interface "‘network-bind’ does not solve the issue
1. My app (Executable) which i run in a SNAP has some further lib which are located in the “extension” sub- folder of my executable folder.
but when i install the snap, the libs are searched in the “/var/snap/myApp/x1/extensions” but the libes are in the executable folder is the “/snap/myApp/x1/extenson” folder. Why is SNAP searching in the “var” folder of snap!?
because that’s a “device folder” not a “system-file”, i don’t think you can use system-files for this … take a look at the shared-memory interface instead … (in fact snappy-debug should have suggested exactly this, did it not ??)