I’m trying to snap musicbrainz-picard and I already have a snap that already works in devmode:
but when trying to confine it I’m getting this error:
Failed to get value for `/desktop/gnome/interface/icon_theme': Configuration server couldn't be contacted: D-BUS error: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.130" (uid=1000 pid=28573 comm="gconftool-2 -g /desktop/gnome/interface/icon_theme") interface="org.gnome.GConf.Server" member="GetDefaultDatabase" error name="(unset)" requested_reply="0" destination="org.gnome.GConf" (uid=1000 pid=8652 comm="/usr/lib/x86_64-linux-gnu/gconf/gconfd-2 ")
I’m trying to replicate what I’ve seen here:
but then snapcraft tells me that:
Issues while validating snapcraft.yaml: The 'apps/musicbrainz-picard/slots' property does not match the required schema: OrderedDict([('session-dbus-interface', OrderedDict([('interface', 'org.gnome.GConf.Server')
, ('name', 'org.gnome.GConf'), ('bus', 'session')]))]) is not of type 'array'
The 'apps/musicbrainz-picard/slots' property does not match the required schema: OrderedDict([('session-dbus-interface', OrderedDict([('interface', 'org.gnome.GConf.Server'), ('name', 'org.gnome.GConf'), ('bus', '
session')]))]) is not of type 'array'
what am I doing wrong?
gconf is not supported by any interfaces. gconf is an antiquated technology that has been replaced by gsettings. I suggest that your application be adjusted to use gsettings instead (I am unfamiliar with the musicbrainz code, but I suspect that this application already will try to use gsettings and is simply setting gconf to try to cover all the bases, so this may actually be either a non-fatal error or it can by made non-fatal through a minimal code change).
Thanks @jdstrand! I have opened a ticket in their project to see if it as you say:
OK, they answered in no time, so I make the modification suggested here:
Compiled the snap and now I’m getting these denies:
mai 29 18:24:51 latitude audit[27872]: AVC apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:51 latitude kernel: audit: type=1400 audit(1496075091.799:453): apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:52 latitude audit[27872]: AVC apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:52 latitude kernel: audit: type=1400 audit(1496075092.287:454): apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:53 latitude dbus[4920]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" name="org.gnome.GConf" pid=27872 label="snap.musicbrainz-picard.musicbrainz-picard" peer_pid=8652 peer_label="unconfined"
mai 29 18:24:53 latitude audit[27872]: AVC apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/etc/xdg/Trolltech.conf" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:53 latitude kernel: audit: type=1400 audit(1496075093.807:455): apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/etc/xdg/Trolltech.conf" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:54 latitude dbus[4920]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" name="org.gnome.GConf" pid=27872 label="snap.musicbrainz-picard.musicbrainz-picard" peer_pid=8652 peer_label="unconfined"
mai 29 18:24:55 latitude audit[27872]: AVC apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:55 latitude audit[27872]: AVC apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:55 latitude kernel: audit: type=1400 audit(1496075095.071:456): apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:55 latitude kernel: audit: type=1400 audit(1496075095.071:457): apparmor="DENIED" operation="open" profile="snap.musicbrainz-picard.musicbrainz-picard" name="/proc/sys/dev/cdrom/info" pid=27872 comm="python2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
mai 29 18:24:55 latitude audit[27872]: SECCOMP auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=27872 comm="python2" exe="/snap/musicbrainz-picard/x1/usr/bin/python2.7" sig=31 arch=c000003e syscall=50 compat=0 ip=0x7f42f45b3627 code=0x0
mai 29 18:24:55 latitude kernel: audit: type=1326 audit(1496075095.215:458): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=27872 comm="python2" exe="/snap/musicbrainz-picard/x1/usr/bin/python2.7" sig=31 arch=c000003e syscall=50 compat=0 ip=0x7f42f45b3627 code=0x0
And even thought some of the denies are related to the org.gnome.GConf.Server interface, I’m not seeing the error that I was seeing before when executing the application.
BTW, I’ve modified the snapcraft to allow the optical-drive interface in my local copy, but anyway I’m seeing the denies.
I suggest you use ‘snappy-debug’ to help with moving from devmode to strict mode since it will make suggestions to you. See Security policy and sandboxing
The seccomp denial is for the ‘listen’ syscall. I suggest you also plugs network-bind. The /proc/sys/dev/cdrom/info access should be added to the optical-drive interface and it may be non-fatal. I’ve taken a TODO to do that. In the meantime, you can workaround the issue be adding this to /var/lib/snapd/apparmor/profiles/snap.musicbrainz-picard.musicbrainz-picard (before the trailing ‘}’):
/proc/sys/dev/cdrom/info r,
and reload the profile with: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.musicbrainz-picard.musicbrainz-picard. Note that if you ‘snap try’, snap install, snap remove, reboot, etc, then this change will be lost and you’ll have to add it again.
I forgot to tell that I did try snappy-debug like this:
sudo /snap/bin/snappy-debug.security scanlog musicbrainz-picard
but then the application would not start.
You were right in that the /proc/sys/dev/cdrom/info and that without the gconf stuff the application would run.
With these changes:
Now the application runs confined!
