I’m snapping geary, which uses sqlite3. This fails under strict confinement because of https://bugs.launchpad.net/snappy/+bug/1612759
This was " it is very high in the queue. Hoping to start on it early next week." back in January. Any updates on this?
@jdstrand Do you have news on this one?
That bug said that sqlite only uses fchown when running as root. OTOH I don’t recall when fchown policy for root was added, but it is in 2.27.6 which is in stable.
For other uses of the chown family of syscalls:
- the snapcraft preload part handles chown and lchown. It should probably be adjusted to handle fchown
- there is a PR up for review to change the seccomp denial behavior from kill to EPERM, which should make this less painful
- I’m actively working on more fully mediating the chown/setuid/setgid families of syscalls that will make this problem go away. This work will include policy that allows chowning and priv dropping to ‘daemon’ as well the calling user
@sergiusens Can we move on with the snapcraft preload piece as well?
Are you sure it’s that bug? By default SQLite wants to write temp files to /var/tmp/ or something that snaps don’t have access to. If you set SQLITE_TMPDIR to /tmp/ it will fix that problem.