I’m trying to snap a JAVA application using strict confinement, but it doesn’t work. This is the output of snappy-debug:
= AppArmor =
Time: Apr 21 11:02:30
Log: apparmor="ALLOWED" operation="open" profile="snap.arubasign.arubasign" name="/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/snap.arubasign.arubasign-f03d05d4-66ee-4f8a-ae07-dde919660ecf.scope/memory.use_hierarchy" pid=10804 comm="arubasign64" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/snap.arubasign.arubasign-f03d05d4-66ee-4f8a-ae07-dde919660ecf.scope/memory.use_hierarchy (read)
Suggestions:
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/snap.arubasign.arubasign-f03d05d4-66ee-4f8a-ae07-dde919660ecf.scope/memory.use_hierarchy'
* adjust program to not access '/sys/fs/cgroup/memory/user.slice/user-[0-9]*.slice/user@[0-9]*.service/snap.arubasign.arubasign-f[0-9]*d[0-9]*d[0-9]*-[0-9]*ee-[0-9]*f[0-9]*a-ae[0-9]*-dde[0-9]*ecf.scope/memory.use_hierarchy'
= AppArmor =
Time: Apr 21 11:02:30
Log: apparmor="ALLOWED" operation="open" profile="snap.arubasign.arubasign" name="/proc/10804/coredump_filter" pid=10804 comm="arubasign64" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
File: /proc/10804/coredump_filter (write)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/coredump_filter'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="mknod" profile="snap.arubasign.arubasign" name="/home/xidera/.ArubaSign/log/ArubaSign.log" pid=10804 comm="arubasign64" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
File: /home/xidera/.ArubaSign/log/ArubaSign.log (write)
Suggestions:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="open" profile="snap.arubasign.arubasign" name="/home/xidera/.ArubaSign/log/ArubaSign.log" pid=10804 comm="arubasign64" requested_mask="ac" denied_mask="ac" fsuid=1000 ouid=1000
File: /home/xidera/.ArubaSign/log/ArubaSign.log (write)
Suggestions:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="file_mmap" profile="snap.arubasign.arubasign" name="/home/xidera/.swt/lib/linux/x86_64/libswt-gtk-4763.so" pid=10804 comm="arubasign64" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
File: /home/xidera/.swt/lib/linux/x86_64/libswt-gtk-4763.so (mmap)
Suggestion:
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="open" profile="snap.arubasign.arubasign" name="/home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so" pid=10804 comm="arubasign64" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="file_mmap" profile="snap.arubasign.arubasign" name="/home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so" pid=10804 comm="arubasign64" requested_mask="rm" denied_mask="rm" fsuid=1000 ouid=1000
File: /home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so (mmap)
Suggestion:
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'
= AppArmor =
Time: Apr 21 11:02:31
Log: apparmor="ALLOWED" operation="open" profile="snap.arubasign.arubasign" name="/home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so" pid=10804 comm="arubasign64" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /home/xidera/.swt/lib/linux/x86_64/libswt-pi3-gtk-4763.so (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs
The only way I have found to get the app working is to apply classic confinement, but I would prefer to use strict confinement whether possible.
Does anybody have a clue that could help me to achieve that?