Snaps can not write to /run by default

snapd
1

The topic was originally discussed on IRC in context for the livepatch snap which currently write a status file under /var/snapd/canonical-livepatch/current. The file/status is only valid until reboot so it would make more sense to have into under /run (it’s easier/better than having custom code to clean out the file on boot).

One suggested solution on IRC/#snappy was to maybe let snap access /run/snap.$SNAP_NAME by default. Having a custom /run space allowed by default can be useful.

Wdyt? (also reported on launchpad as https://bugs.launchpad.net/snapd/+bug/1802112)

2

we already have XDG_RUNTIME_DIR set by default in every snap, pointing to /run/user/<uid>/snap.<appname> (uid being 0 indeed for all daemon snaps)… i’m not sure if that dir is created for daemon snaps by default though … you might need a mkdir -p $XDG_RUNTIME_DIR in some wrapper script to create it first.

1 Like
3

I have now proposed https://github.com/snapcore/snapd/pull/6109

4

My LibreOffice can’t write to /run

Got an SMB mounted there image

$ snap connections libreoffice
Interface               Plug                                Slot                            Notes
audio-playback          libreoffice:audio-playback          :audio-playback                 -
bluez                   libreoffice:bluez                   -                               -
content[gnome-42-2204]  libreoffice:gnome-42-2204           gnome-42-2204:gnome-42-2204     -
content[gtk-3-themes]   libreoffice:gtk-3-themes            gtk-common-themes:gtk-3-themes  -
content[icon-themes]    libreoffice:icon-themes             gtk-common-themes:icon-themes   -
content[sound-themes]   libreoffice:sound-themes            gtk-common-themes:sound-themes  -
cups-control            libreoffice:cups-control            :cups-control                   -
desktop                 libreoffice:desktop                 :desktop                        -
desktop-legacy          libreoffice:desktop-legacy          :desktop-legacy                 -
gsettings               libreoffice:gsettings               :gsettings                      -
home                    libreoffice:home                    :home                           -
network                 libreoffice:network                 :network                        -
network-bind            libreoffice:network-bind            :network-bind                   -
opengl                  libreoffice:opengl                  :opengl                         -
pulseaudio              libreoffice:pulseaudio              :pulseaudio                     -
removable-media         libreoffice:removable-media         :removable-media                -
screen-inhibit-control  libreoffice:screen-inhibit-control  :screen-inhibit-control         -
unity7                  libreoffice:unity7                  :unity7                         -
wayland                 libreoffice:wayland                 :wayland                        -
x11                     libreoffice:x11                     :x11                            -

$ snap --version
snap    2.63+22.04
snapd   2.63+22.04
series  16
neon    22.04
kernel  6.9.3-76060903-generic
5

This is completely unrelated to this topic (a snap being able to write to its own XDG_RUNTIME_DIR)

you are trying to write to a non snap owned dir in /run which is simply a security breach, this access should rather happen through a portal, please open a fresh topic (and probably a bug as well against the libreoffice snap)

(on a side-note, do not run test kernels in production, the ubuntu mainline builds are only for bi-secting and testing bugfixes, not for general usage and are lacking all security patches and the ubuntu config options (they use mainlines defconfig only which is missing many options))

6

this was actually using System76’s kernel (mine is a hybrid of Neon and Pop!_OS)

7

Ah, sorry, their versioning with the got commit hash always tricks me into thinking it is one of the Ubuntu mainline builds