Using custom Python version - pip fails

jannekii · March 14, 2023, 7:58am

We have a somewhat large piece of SW that needs to run as a snap. We’ve done it originally and the base has been core. We now need to update it, as Python 3.5 is EOL and one piece of the SW is actually a Python-based tool. It uses the cryptography module, which has a CVE in the earlier versions and cryptography version 39.x only supports Python 3.6 or newer.

So, two choices (as far as I see it).

update Python itself or
update Core image to a newer one (core20 or core22)

However, both are now failing.

Update python

I found instructions how to update the Python and it actually builds Python 3.9 and so fort, but when snapcraft tries to install the requirements.txt, it will still complain about Python 3.5 and clearly it is using that as the requirements cannot be met.

How do I ensure the Python 3.9 built is actually really getting used as well?

   edge-core-tool:
      after:
        - python39
        - edge-core-src
      plugin: python
      source: "${SNAPCRAFT_STAGE}/edge-core-src.tgz"
      source-subdir: edge-tool
      build-environment:
        - SNAPCRAFT_PYTHON_INTERPRETER: "${SNAPCRAFT_STAGE}/bin/python3.9"
      requirements: [ "${SNAPCRAFT_PART_SRC}/edge-tool/requirements.txt" ]

Example of failure:

Pulling edge-core-tool 
+ snapcraftctl pull
DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.
DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.
DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.
Collecting docopt==0.6.2
  Downloading docopt-0.6.2.tar.gz (25 kB)
ERROR: Could not find a version that satisfies the requirement cbor2==5.4.6
ERROR: No matching distribution found for cbor2==5.4.6
Failed to run '/build/parts/edge-core-tool/install/usr/bin/python3 -m pip download --disable-pip-version-check --dest /build/parts/edge-core-tool/python-packages --requirement /build/parts/edge-core-tool/src/edge-tool/requirements.txt': Exited with code 1.

Life would be a lot easier, if you could just give the python plugin the version of python you want to use…

Code is available at: https://github.com/PelionIoT/snap-pelion-edge/tree/core18

You need to 1st build the docker image used for building it:

docker build --no-cache -f Dockerfile.snapcore --label snapcore/snapcraft --tag ${USER}/snapcraft:latest .

and then the actual snapcraft build:

docker run --rm -v "$PWD":/build -w /build ${USER}/snapcraft:latest bash -c "sudo apt-get update && snapcraft --debug"

In case you want to reproduce this issue.

If i update the base image to core20/core22 - the cmake fails, as it can’t compile the test programs. It does not find gmake for some reason (but that’s another post).

sergiusens · March 16, 2023, 1:18pm

Hi, setting that environment is from the newer plugins, to use the python you probably want to look at

github.com

PelionIoT/snap-pelion-edge/blob/core18/snap/snapcraft.yaml#L400


        - -DNETWORK_PROXY_SUPPORT=ON
        - -DPARSEC_TPM_SE_SUPPORT=OFF
      override-build: |
        install -d ${SNAPCRAFT_PART_INSTALL}/wigwag/mbed
        if [ "${SNAPCRAFT_PROJECT_GRADE}" = "devel" ]; then
            snapcraftctl build
            install bin/edge-core ${SNAPCRAFT_PART_INSTALL}/wigwag/mbed/edge-core-byoc
        fi
      stage:
        - wigwag/mbed/*
    python39:
      plugin: autotools
      source: https://www.python.org/ftp/python/3.9.8/Python-3.9.8.tgz
      configflags:
# Core20 onwards:
#      autotools-configure-parameters:
        - --enable-optimizations
      build-packages:
        - build-essential
        - gdb 
        - lcov

and set an installation prefix so python is installed in some of the default paths inside the stage directory; additionally (or instead), in build-environment, instead of the envvar you use, set the appropriate PATH to the interpreter and make sure it is the first element in that PATH search.

jannekii · March 28, 2023, 8:07am

Would anyone have an example of this?

cmatsuoka · March 28, 2023, 11:46am

I’d say that updating the base is the way to go. Is this still happening? It looks a bit strange because AFAIK gmake is how BSD calls the GNU make, and cmake shouldn’t be looking for that. Does it work if you build it by hand on 22.04 (without using Snapcraft)?

jannekii · March 29, 2023, 7:40am

We have update the base, project originally starts with base:core and we’ve now updated to base: core18 - which will when fail as it still has Python 3.5 and now we have updated to base:core20.

None of these updates were trivial, the snapcraft.yaml and the plug-in behavior changes with EVERY single version. None of them are backwards compatible. This is not a very good developer UX, to be honest.

Wwe are now at core20 and this means the Python problems are gone (and we run a Python version that actually still has active support). However, all kinds of other things now break. Have the apparmor / security measures been heavily changed as well?

Our program needs to modify for example /etc/hosts and that used to work - now it won’t work anymore. (Update: this works now - you have to have installed snap network-manager and modem-manager to enable this).
We need to install docker and it needs to access /proc/1736/mountinfo and that’s denied as well.

We have a large list of plugs defined in the snapcraft.yaml, but seems they are not doing what they used to do.

The gmake not found problem is resolved. I think it was finally a full clean that fixed that issue.

cmatsuoka · March 29, 2023, 12:13pm

Things shouldn’t change as drastically now that the plugin API is defined by Craft Parts and not by Snapcraft itself. I agree that the previous changes are confusing, plugins were actually rewritten from core/core18 to core20/core22 with changes in property names (e.g. “configflags” to “autotools-configure-parameters”) or behavior (e.g. expecting certain components to be supplied by the build host instead of auto-installing them, or explicitly requiring ELF patching to be enabled in classic snaps).

I’m not aware of big changes in that area, maybe @ogra could comment on that?

Full clean is always a good idea after significant changes in dependencies or file layouts. Incremental rebuilding is faster during development cycles, but to generate final production artifacts it’s safer and much more predictable if you work on a clean environment.

ogra · March 30, 2023, 7:58am

I’m not aware of any changes either …

jannekii · March 30, 2023, 12:19pm

Hei,

these are the errors I’m seeing in journalctl for AppArmor.

maalis 30 15:14:12 ubuntu-20-04 audit[5454]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5454 comm="mount" exe="/snap/pelion-edge/x1/bin/mount" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f96f5b86c7e code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5460]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/run/mount/utab" pid=5460 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5460]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5460 comm="umount" exe="/snap/pelion-edge/x1/bin/umount" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7f40ca34f16b code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5461]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5461/mountinfo" pid=5461 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5461]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5461/mounts" pid=5461 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5462]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5462/mountinfo" pid=5462 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5462]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5462/mounts" pid=5462 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5463]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5463 comm="mount" exe="/snap/pelion-edge/x1/bin/mount" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f4a93edec7e code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5468]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/run/mount/utab" pid=5468 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5468]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5468 comm="umount" exe="/snap/pelion-edge/x1/bin/umount" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7f4e0f12316b code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5470]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5470/mountinfo" pid=5470 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5470]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5470/mounts" pid=5470 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5471]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5471/mountinfo" pid=5471 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5471]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5471/mounts" pid=5471 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5472]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5472 comm="mount" exe="/snap/pelion-edge/x1/bin/mount" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f5adee74c7e code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5473]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/run/mount/utab" pid=5473 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5473]: SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=5473 comm="umount" exe="/snap/pelion-edge/x1/bin/umount" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7fdf720ae16b code=0x50000
maalis 30 15:14:12 ubuntu-20-04 audit[5478]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5478/mountinfo" pid=5478 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5478]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5478/mounts" pid=5478 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5479]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5479/mountinfo" pid=5479 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5479]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/5479/mounts" pid=5479 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 audit[5499]: AVC apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/sys/kernel/security/apparmor/profiles" pid=5499 comm="grep" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
maalis 30 15:14:12 ubuntu-20-04 pelion-edge.dockerd[5499]: grep: /sys/kernel/security/apparmor/profiles: Permission denied

Sounds like I should map some interfaces/plugs to mount -capability?

ogra · March 30, 2023, 12:26pm

what does the snappy-debug tool (from the snappy-debug snap) suggest when you run it alongside your snapped app ?

jannekii · March 31, 2023, 10:54am

Good tip, that tool does seem to give more tangible advice. It unfortunately does say a LOT.

13:29 jannek@ubuntu-20-04:~$ snappy-debug
^[[3~INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Mar 31 13:52:33
Log: apparmor="DENIED" operation="connect" profile="snap.pelion-edge.edge-core" name="/run/snapd.socket" pid=139799 comm="curl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/snapd.socket (write)

= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="connect" profile="snap.pelion-edge.edge-core" name="/run/snapd.socket" pid=139832 comm="curl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
File: /run/snapd.socket (write)

= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/139837/mountinfo" pid=139837 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139837/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:34
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/139837/mounts" pid=139837 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139837/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:35
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/139347/uid_map" pid=139347 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139347/uid_map (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/uid_map'
* add 'steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:35
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/proc/139347/mountinfo" pid=139347 comm="dockerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/139347/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= Seccomp =
Time: Mar 31 13:52:35
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139347 comm="dockerd" exe="/snap/pelion-edge/x1/bin/dockerd" sig=0 arch=c000003e 260(fchownat) compat=0 ip=0x563293deba4a code=0x50000
Syscall: fchownat
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchownat'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)

= Seccomp =
Time: Mar 31 13:52:36
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139879 comm="mount" exe="/snap/pelion-edge/x1/bin/mount" sig=0 arch=c000003e 165(mount) compat=0 ip=0x7f7688369c7e code=0x50000
Syscall: mount
Suggestion:
* add one of 'cifs-mount, fuse-support, mount-control, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:36
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.dockerd" name="/run/mount/utab" pid=139880 comm="umount" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/mount/utab (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'mount-observe' to 'plugs'

= Seccomp =
Time: Mar 31 13:52:36
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 subj=snap.pelion-edge.dockerd pid=139880 comm="umount" exe="/snap/pelion-edge/x1/bin/umount" sig=0 arch=c000003e 166(umount2) compat=0 ip=0x7f818574916b code=0x50000
Syscall: umount2
Suggestion:
* add one of 'cifs-mount, mount-control, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/run/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /run/log/journal/ (read)
Suggestions:
* adjust program to use $SNAP_DATA
* adjust program to use /run/shm/snap.$SNAP_NAME.*
* adjust program to use /run/snap.$SNAP_NAME.*
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:42
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.fluent-bit" name="/var/log/journal/" pid=140264 comm="flb-pipeline" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /var/log/journal/ (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'log-observe' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:56
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140491/mountinfo" pid=140491 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140491/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:52:56
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140491/mounts" pid=140491 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140491/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:06
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140594/mountinfo" pid=140594 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140594/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:06
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140594/mounts" pid=140594 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140594/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:16
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140698/mountinfo" pid=140698 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140698/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:16
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140698/mounts" pid=140698 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140698/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:26
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140789/mountinfo" pid=140789 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140789/mountinfo (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'
* add one of 'mount-control, mount-observe, steam-support' to 'plugs'

= AppArmor =
Time: Mar 31 13:53:26
Log: apparmor="DENIED" operation="open" profile="snap.pelion-edge.edge-core" name="/proc/140789/mounts" pid=140789 comm="df" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
File: /proc/140789/mounts (read)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/mounts'
* add one of 'mount-control, mount-observe, network-control, steam-support' to 'plugs'

ogra · March 31, 2023, 12:05pm

Well, it gives you pretty precise suggestions about the plugs you could/should use … though note that access to the snapd socket (the first two denials without suggestion) will normally not be granted to snaps in the global store, access to this socket via the snapd-control interface is reserved for dedicated device stores used by UbuntuCore.

jannekii · March 31, 2023, 1:05pm

Thanks for the good tips, I’ll start working through that list.

Interestingly enough, it seems that Snap store is not compliant either.

$ snappy-debug
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
= AppArmor =
Time: Mar 31 16:03:28
Log: apparmor="DENIED" operation="open" profile="snap.snap-store.ubuntu-software" name="/var/lib/snapd/hostfs/usr/share/gdm/greeter/applications/gnome-initial-setup.desktop" pid=4290 comm="pool-org.gnome." requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
File: /var/lib/snapd/hostfs/usr/share/gdm/greeter/applications/gnome-initial-setup.desktop (read)
Suggestions:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* adjust snap to use snap layouts (https://forum.snapcraft.io/t/snap-layouts/7207)

= Seccomp =
Time: Mar 31 16:03:28
Log: auid=1000 uid=1000 gid=1000 ses=3 subj=snap.snap-store.ubuntu-software pid=4290 comm="pool-org.gnome." exe="/snap/snap-store/638/usr/bin/snap-store" sig=0 arch=c000003e 93(fchown) compat=0 ip=0x7faa8209139b code=0x50000
Syscall: fchown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload
* adjust program to not use 'fchown'
* ignore the denial if the program otherwise works correctly (unconditial chown is often just noise)