Setcap for SNAP executable

schwebo · April 21, 2022, 3:55am

good morning,

while using snappy-debug, i got the followning output:

so, “process-control” i have already added to my plugs, but “shared-memory” does not help for my issues with:

2022-04-21T03:46:01Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-21 03:46:01.754396 +0000 UTC AVC apparmor="DENIED" operation="open" profile="snap.appengine-snap.app-engine" name="/dev/shm/sem.CME-ACC" pid=3756445 comm="AppEngine" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
2022-04-21T03:46:01Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-21 03:46:01.754644 +0000 UTC AVC apparmor="DENIED" operation="open" profile="snap.appengine-snap.app-engine" name="/dev/shm/sem.CME-ACC" pid=3756445 comm="AppEngine" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
2022-04-21T03:46:01Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-21 03:46:01.754903 +0000 UTC AVC apparmor="DENIED" operation="open" profile="snap.appengine-snap.app-engine" name="/dev/shm/sem.CME-ACC" pid=3756445 comm="AppEngine" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
2022-04-21T03:46:02Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-21 03:46:01.755127 +0000 UTC AVC apparmor="DENIED" operation="open" profile="snap.appengine-snap.app-engine" name="/dev/shm/sem.CME-ACC" pid=3756445 comm="AppEngine" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

any further suggestions!? ( i red that shared-memory interface is used to communcatie between snaps, but for me is just using /dev/shm/*"

Thanks in advance

mborzecki · April 21, 2022, 6:06am

Is the named semaphore shared with different processes in the system that are outside of this snap?

schwebo · April 21, 2022, 6:59am

as far as i dont know… its just temporar program data i think… iam a linux noob… is the part (bold) of of “/dev/shm/sem.CME-ACC” custom from the application i guess!?

i can not change any code in my App, i just have my binary…

mborzecki · April 21, 2022, 7:57am

Hence my question. It’s a named semaphore (via sem_open()), and those are usually used to sync between processes. If all those processes are in the same snap then you could probably try something like this:

plugs:
  private-shmem:
    interface: shared-memory
    private: true

Which will set up /dev/shm such that the snap can write to it, as it’s a bind mount of /dev/shm/snap.<yoursnap> onto /dev/shm. What also means, it’s not really useful if you want to sync with processes on the outside.

schwebo · April 21, 2022, 9:20am

First , thank you for helping.

Is this to setup in my snapraft!?=

where i have to setup this :=> /dev/shm/snap.<yoursnap> onto /dev/shm . ??

ogra · April 21, 2022, 10:22am

you dont have to, snapd does it on startup of your app …