I’m trying to use some python 3 code in my configure hook.
So far pretty ugly, but here goes
passthrough:
hooks:
configure:
environment:
# make jsonmerge module available to the configure script
PYTHONPATH: $PYTHONPATH:$SNAP/lib/python3.6/site-packages
parts:
configure-hook-python-dependencies:
plugin: python
python-version: python3
python-packages: [jsonmerge]
(side note: I use python3.6/site-packages
because, from snapcraft --shell
I can tell that this is where jsonmerge ends up. I don’t know how to make this work generically)
Later in my configure script i have a python3 -c
.
/usr/bin/python3 -c '
from jsonmerge import merge
...
'
The configure script fails with
ImportError: /usr/lib/python3.6/lib-dynload/_csv.cpython-36m-x86_64-linux-gnu.so: failed to map segment from shared object
The corresponding apparmor denial is
AVC apparmor="DENIED" operation="file_mmap" profile="snap.x.hook.configure" name="/usr/lib/python3.6/lib-dynload/_csv.cpython-36m-x86_64-linux-gnu.so" pid=7910 comm="python3" requested_mask="m" denied_mask="m" fsuid=0 ouid=0
The apparmor profile, indeed, does not allow anything higher than python 3.5
$ apparmor_parser -p /var/lib/snapd/apparmor/profiles/snap.x.hook.configure | grep lib-dynload
/usr/lib{,32,64}/python3.[0-5]/lib-dynload/*.so mr,
/usr/local/lib{,32,64}/python3.[0-5]/lib-dynload/*.so mr,
So, In my understanding, the snap gets an entire python 3.6 runtime due to its using core18 as the base, and a pip install does happen for jsonmerge
. But the 16.04 host apparmor python profile (which only knows pythong up to 3.5) prevent the snap from using 3.6+ shared libraries within that pip-installed package.
It feels intuitively wrong that the host restricts the view of the snap to the known versions of python at the time of release for the host OS. And the snap might be packaging python 3.7 for all we know, which not even core18 knows about. So either the stock ubuntu 16.04 is too restrictive, or the generation of the apparmor profile done in snapd is.
What is the correct way to fix this? I don’t want to change my host apparmor python abstraction profile to make it more permissive, because that step would have to be performed for everyone running 16.04, which also feels wrong. I’m looking for the snapcraft way to do this correctly, or a confirmation that this is a bug.
I tried to find where apparmor profiles are generated in the snapd repo, but came up empty. I could investigate further if someone can point out which part of the code builds the profile.