` tar_extract_all() failed: Operation not permitted`

SrikarReddyKaremma · November 15, 2021, 4:23am

I am attempting to create a snap of a patched stand-alone Python binary file and I would like to use grade: stable and confinement: strict.

The snap package for it is given below.

I have made it available from snapcraft.io and when I install it using sudo snap install run-simplepy and execute the command run-simplepy.runpyapp sample.py, I receive the error: python-bin: tar_extract_all() failed: Operation not permitted.

However, if I cd to /snap/run-simplepy/current, I can execute ./python-bin sample.py as expected. Why is my command failing when I am triggering it from outside the /snap dir?

My snapcraft.yaml file :

name: run-simplepy
base: core18
version: '1.0.0'
summary: Simple Py
description: |
  Simple Py
grade: stable
confinement: strict
architectures:
  - build-on: amd64

apps:
  runpyapp:
     command: /snap/run-simplepy/current/python-bin

  
parts:
  cprog:
    source: https://github.com/**/run-simplepy/releases/download/v1.0.0/py.tar.gz
    plugin: dump

The py.tar.gz contains just the Python binary executable. I am able to download this executable and run it on the machine without issues. Also, I have tried experimenting with different binary. I have tried the same process with nodejs binary and I was receiving the same error when trying to execute the some sample node.js script. Also, I am curious that the binary of a simple c-program that just prints “hello” did not get any such error when trying to execute. I am wondering what is the issue with Nodejs and Python binaries.

joaoamaral · November 15, 2021, 9:25am

Hi @SrikarReddyKaremma, I am just getting started with snaps and stuff, but I believe in this case the issue is related with the confinement.

Please check this entry in the Snap Docs https://snapcraft.io/docs/snap-confinement:

Strict Used by the majority of snaps. Strictly confined snaps run in complete isolation, up to a minimal access level that’s deemed always safe. Consequently, strictly confined snaps can not access your files, network, processes or any other system resource without requesting specific access via an interface (see below).

This leads me to believe that your extract_all() funtion might be trying to access some existing file or creating some file and it doesn’t have permissions to do so.

Looking at the docs, you might want to check out devmode or classic confinement, with my intuition telling me that for your case, the classic confinement would suit you better.