Socket.bind fails with "Permission denied" (strictly confined)

aluria · April 13, 2020, 11:49am

Hi,

I’ve read the thread at Proper Plug config for unix.socket & Python subprocess module calls but it looks slightly different to what I’m trying.

I want to run a python script on a strictly confined (and stable) snap, but I can’t find the plug to allow the following https://pastebin.ubuntu.com/p/3Jv75DYPzK/

Inside the snap, I get:

root@u-bionic:~# mytest.simple 
before binding
just before binding
Traceback (most recent call last):
  File "/snap/mytest/x5/bin/simple.py", line 16, in <module>
    main()
  File "/snap/mytest/x5/bin/simple.py", line 9, in main
    s.bind("\0mytest")
PermissionError: [Errno 13] Permission denied

Snap details can be found below:

snapcraft.yaml: https://pastebin.ubuntu.com/p/sYR6CQ9Y8K/
simple.py script: https://pastebin.ubuntu.com/p/SJjbmqvBCX/

At the host level, I get:

Apr 13 13:28:32 pluto kernel: [874385.697085] audit: type=1400 audit(1586777312.909:111271): apparmor="DENIED" operation="bind" namespace="root//lxd-u-bionic_<var-snap-lxd-common-lxd>" profile="snap.mytest.advanced" pid=15062 comm="python3" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@mytest"

Which plug should I use? network, network-bind and network-control are not enough.

Thank you,
-Alvaro.

zoopp · April 13, 2020, 1:02pm

I had a similar use case to what you want to achieve. While I don’t recall where exactly I found the information, I do recall that in order to use abstract namespace UNIX domain sockets I had to use the following name format as the bind point: snap.<snap-name>.<socket-name>.

In your case, s.bind("\0snap.mytest.mytest") should do it.

aluria · April 14, 2020, 7:28am

Wow, that worked, thank you. I only needed the network and network-bind plugs.

I think the network-bind interface (or the one that sets up the apparmor profile) should document this.

Thanks again,
-Alvaro.