Tizonia snap: apparmor="DENIED"; Suggestion: adjust program to use TMPDIR or /tmp

juanrubio · April 11, 2018, 4:09pm

Hi,

My app Tizonia is receiving this denial when trying to access (read and write) a location under /var/tmp

I don’t understand very well the suggestion message:

‘adjust program to use TMPDIR or /tmp’

since the contents of /var/tmp and /tmp have potentially different lifetimes. Also what is TMPDIR?

Thanks

sudo /snap/bin/snappy-debug.security scanlog tizonia
INFO: following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug.security scanlog
kernel.printk_ratelimit = 0
= AppArmor =
Time: Apr 11 16:54:47
Log: apparmor="DENIED" operation="open" profile="snap.tizonia.tizonia" name="/var/tmp/tizonia-joni-spotify-jarubio2001/settings" pid=29240 comm="audio_source" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /var/tmp/tizonia-joni-spotify-jarubio2001/settings (read)
Suggestion:
* adjust program to use TMPDIR or /tmp

= AppArmor =
Time: Apr 11 16:54:47
Log: apparmor="DENIED" operation="open" profile="snap.tizonia.tizonia" name="/var/tmp/tizonia-joni-spotify-jarubio2001/user-cache.bnk" pid=29240 comm="audio_source" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /var/tmp/tizonia-joni-spotify-jarubio2001/user-cache.bnk (read)
Suggestion:
* adjust program to use TMPDIR or /tmp

= AppArmor =
Time: Apr 11 16:54:47
Log: apparmor="DENIED" operation="open" profile="snap.tizonia.tizonia" name="/var/tmp/tizonia-joni-spotify-jarubio2001/Storage/index.dat" pid=29240 comm="audio_source" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
File: /var/tmp/tizonia-joni-spotify-jarubio2001/Storage/index.dat (write)
Suggestion:
* adjust program to use TMPDIR or /tmp

jdstrand · April 11, 2018, 5:53pm

As snappy-debug says, /var/tmp is not allowed and the snap needs to be adjusted to not use it (snaps aren’t allowed to share content in directories like /tmp, /run/shm or /var/tmp. This is one reason why we use a mount namespace to the snap has a snap-specific /tmp directory).

So, you can do like snappy-debug says: adjust the snap to just use /tmp (which again is specific to the snap) or set the TMPDIR environment variable to point to somewhere the snap can write to (eg, /tmp, $SNAP_COMMON/tmp, etc) or patch the application to write out to somewhere the snap can write to.

juanrubio · April 11, 2018, 6:52pm

My question comes because contents of /tmp are usually not persisted across reboots but /var/tmp are (if I’m not mistaken). libspotify needs to store a 1GB cache somewhere, so ideally a persistent location.

So what would be the equivalent of that in the snap world?

jdstrand · April 11, 2018, 10:08pm

If you want a single cache file to be created by any user but readable by all users, I suggest creating $SNAP_COMMON/tmp with 1777 permissions (eg, via install hook, but you’ll have to manage the permissions on the cache file).

If you want a per-user cache file, I suggest just putting the file somewhere in $SNAP_USER_COMMON.

Since neither of these are cleaned on reboot, it should work for your needs.

juanrubio · April 12, 2018, 8:46am

@jdstrand

Thanks, this requires a cache folder per user. So I will use $SNAP_USER_COMMON.

Cheers