Strict confinement apparmor="DENIED"

MeccNova · February 15, 2021, 10:52am

Hi all,
I’m new to the forum and the snaps.
I wrote a python service and relative snap in devmode confinement and all works fine.
Now I recompiled snap in strict confinement, installed my python service on a Ubuntu Core 16 but the service can’t start.
So I finded the problems in debug logs with the command:

sudo journalctl | grep audit

When service try to start I get following two error about “apparmor” permission:

Feb 15 09:01:38 localhost.localdomain audit[25817]: AVC apparmor=“DENIED” operation=“open” profile=“snap.python-edge-platform.python-edge-platform” name="/home/boschrexroth/python-code/app.py" pid=25817 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=1000
Feb 15 09:01:38 localhost.localdomain kernel: audit: type=1400 audit(1613379698.364:433519): apparmor=“DENIED” operation=“open” profile=“snap.python-edge-platform.python-edge-platform” name="/home/boschrexroth/python-code/app.py" pid=25817 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=1000

I found also my file

/var/lib/snapd/apparmor/profiles/snap.python-edge-platform.python-edge-platform

But I don’t understand what I must modify in this file to change AppArmor policy on the target system.
I’m trying to follow the guide https://snapcraft.io/docs/debug-snaps, Section: AppArmor violations

Any suggestion?

Thank you all!

ogra · February 15, 2021, 11:15am

your snap tries to run code outside of its confinement in $HOME/python-code/ … this is indeed denied for security reasons, you need to include your python code in the snap and make sure your apps: entry in snapcraft.yaml points to the correct place to execute it from $SNAP/

MeccNova · February 16, 2021, 12:39pm

Hi Ogra,
Thanks for your helps.
Before in my run.sh file I had this call to my Python code:

python3 /home/myUser/python-code/app.py

Now I changed it to run the code inside the confinement:

python3 /snap/python-edge-platform/x1/app.py

And now the service starts correctly.
Thank you

alan_g · February 16, 2021, 4:30pm

You don’t want to use “x1” in the path. That will change when you refresh or install the snap again.

Instead use (recommended):

python3 $SNAP/app.py

or

python3 /snap/python-edge-platform/current/app.py

sergiusens · February 17, 2021, 2:23pm

Just a note that the latter alternative will break if using multiple instances (parallel installs)

MeccNova · February 22, 2021, 2:26pm

Thank you Alan
Now I corrected my run.sh to call app.py in this way, and works fine yet.