Snapcraft snap not working out of the box when on gocryptfs

stephane · October 24, 2019, 9:08am

If I install snapcraft like so:

$ snap install snapcraft --classic

and my umaks is 0022 so the current permissions are

drwxr-xr-x for the working directory
-rw-r--r-- for the snapcraft.yml file

My first attempt at building a snap fails:

$ snapcraft 
cannot open path of the current working directory: Permission denied

I tried snap install-ing with sudo, same result.

What am I doing wrong? The snap is from canonical and stable,
so it’s got to be something that is wrong with my setup. But umask 0022 is bog standard.

popey · October 24, 2019, 9:10am

What directory are you sat in when you run snapcraft? /tmp?

stephane · October 24, 2019, 10:08am

It’s a gocryptfs mount in my home directory, that belongs to my user
(ie the user running the snapcraft command).

I’m not quite clear on the user that the snapcraft snap runs under, since:

snap run --shell snapcraft 
whoami

Also returns the name of my user (the user running the snapcraft command).
So everything seems lined up.

Unless there is some additional containment measure to run the snapcraft snap
as yet another user, I’m at a loss.

jdstrand · October 24, 2019, 7:55pm

Are there any policy violations in the logs at the time of the error? (see journalctl)

stephane · October 25, 2019, 8:03am

No policy violation in journalctl. Maybe the straces (with / without sudo) help?

strace without sudo

(as non-root user in my gocryptfs mount)
$ strace -e trace=process -s 256 snapcraft 
execve("/snap/bin/snapcraft", ["snapcraft"], [/* 111 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7f10283e6700) = 0
clone(child_stack=0x7f1027c08ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f1027c099d0, tls=0x7f1027c09700, child_tidptr=0x7f1027c099d0) = 18140
clone(child_stack=0x7f1027407ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f10274089d0, tls=0x7f1027408700, child_tidptr=0x7f10274089d0) = 18141
clone(child_stack=0x7f1026c06ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f1026c079d0, tls=0x7f1026c07700, child_tidptr=0x7f1026c079d0) = 18142
clone(child_stack=0, flags=SIGCHLD)     = 18143
wait4(18143, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 1437}, ru_stime={0, 0}, ...}) = 18143
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=18143, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
execve("/snap/core/current/usr/bin/snap", ["snapcraft"], [/* 111 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7f65ed9a5700) = 0
clone(child_stack=0x7f65ed1c7ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f65ed1c89d0, tls=0x7f65ed1c8700, child_tidptr=0x7f65ed1c89d0) = 18146
clone(child_stack=0x7f65ec9c6ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f65ec9c79d0, tls=0x7f65ec9c7700, child_tidptr=0x7f65ec9c79d0) = 18147
clone(child_stack=0x7f65ec1c5ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f65ec1c69d0, tls=0x7f65ec1c6700, child_tidptr=0x7f65ec1c69d0) = 18148
clone(child_stack=0x7f65eb1c3ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f65eb1c49d0, tls=0x7f65eb1c4700, child_tidptr=0x7f65eb1c49d0) = 18150
clone(child_stack=0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 18151
waitid(P_PID, 18151, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=18151, si_uid=1000, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=18151, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
wait4(18151, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 1592}, ru_stime={0, 0}, ...}) = 18151
clone(child_stack=0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 18153
waitid(P_PID, 18153, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=18153, si_uid=1000, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=18153, si_uid=1000, si_status=0, si_utime=0, si_stime=0} ---
wait4(18153, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 0}, ru_stime={0, 2146}, ...}) = 18153
execve("/snap/core/7917/usr/lib/snapd/snap-confine", ["/snap/core/7917/usr/lib/snapd/snap-confine", "--classic", "snap.snapcraft.snapcraft", "/snap/core/7917/usr/lib/snapd/snap-exec", "snapcraft"], [/* 124 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7fe0ff4e9740) = 0
need to run as root or suid
exit_group(1)                           = ?
+++ exited with 1 +++

strace with sudo

$ sudo strace -e trace=process -s 256 snapcraft 
execve("/snap/bin/snapcraft", ["snapcraft"], [/* 28 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7f54a4d96700) = 0
clone(child_stack=0x7f54a45b8ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f54a45b99d0, tls=0x7f54a45b9700, child_tidptr=0x7f54a45b99d0) = 22327
clone(child_stack=0x7f54a3db7ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f54a3db89d0, tls=0x7f54a3db8700, child_tidptr=0x7f54a3db89d0) = 22328
clone(child_stack=0x7f54a35b6ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f54a35b79d0, tls=0x7f54a35b7700, child_tidptr=0x7f54a35b79d0) = 22329
clone(child_stack=0, flags=SIGCHLD)     = 22330
wait4(22330, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 1297}, ru_stime={0, 0}, ...}) = 22330
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22330, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
execve("/snap/core/current/usr/bin/snap", ["snapcraft"], [/* 28 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7f88da996700) = 0
clone(child_stack=0x7f88da1b8ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f88da1b99d0, tls=0x7f88da1b9700, child_tidptr=0x7f88da1b99d0) = 22333
clone(child_stack=0x7f88d99b7ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f88d99b89d0, tls=0x7f88d99b8700, child_tidptr=0x7f88d99b89d0) = 22334
clone(child_stack=0x7f88d91b6ff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f88d91b79d0, tls=0x7f88d91b7700, child_tidptr=0x7f88d91b79d0) = 22335
clone(child_stack=0x7f88d3ffeff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f88d3fff9d0, tls=0x7f88d3fff700, child_tidptr=0x7f88d3fff9d0) = 22337
clone(child_stack=0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 22338
waitid(P_PID, 22338, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22338, si_uid=0, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22338, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
wait4(22338, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 284}, ru_stime={0, 1211}, ...}) = 22338
clone(child_stack=0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 22340
waitid(P_PID, 22340, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22340, si_uid=0, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22340, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
wait4(22340, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={0, 0}, ru_stime={0, 1984}, ...}) = 22340
execve("/snap/core/7917/usr/lib/snapd/snap-confine", ["/snap/core/7917/usr/lib/snapd/snap-confine", "--classic", "snap.snapcraft.snapcraft", "/snap/core/7917/usr/lib/snapd/snap-exec", "snapcraft"], [/* 42 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x7f1ef1ef7740) = 0
cannot open path of the current working directory: Permission denied
exit_group(1)                           = ?
+++ exited with 1 +++

lucyllewy · October 25, 2019, 11:07am

This is normal FUSE behaviour. gocryptfs is a FUSE-based filesystem.

Basically you are being hit with FUSE’s protections which prohibit other users from accessing your mount-points, because running a snap application routes through the root user via setuid executables. Root is an “other user” and so the command snap-confine, running as root, cannot access your mounted filesystem.

You might be able to allow access by using the mount option allow_other:

gocryptfs -allow_other encrypted decrypted

stephane · October 25, 2019, 12:55pm

I like to protect my user files even from root, so enabling allow_other is not an option.
I’ll snapcraft my snaps outside of the mount in /tmp for now. That works fine.
Thanks!