Using ROS2 snaps in strict mode gives error

rahul-tt · October 15, 2021, 8:36am

I made a strict snap with ros2 simple daemon services for Ubuntu Core system.

It runs without any issue in devmode, but when in try running it on strict mode. it outputs “getifaddrs: Operation not permitted”

and when i check the log it displays “2021-09-24 14:03:04.543 [RTPS_TRANSPORT_SHM Error] Failed to create segment e8a3e74e78b78e78: Permission denied -> Function compute_per_allocation_extra_size”

I tried with snappy debug and it said to add home to plugs which I did , but nothing changed

I couldnt debug this issue, why does this happen?

ogra · October 15, 2021, 10:08am

that sounds more like something like network-control or network-observe would help here, are you sure snappy-debug referred to exactly that error (it usually prints the actual denial alongside)

also, are you running your snap on Ubuntu Core ? there the home plug does not get auto-connected, you need to connect it manually

rahul-tt · October 15, 2021, 10:51am

snappy-debug output:

Time: Oct 15 08:36:10 Log: apparmor=“DENIED” operation=“open” profile=“snap.turftank-software.eeprom-read” name="/home/ttank/" pid=4571 comm=“python3” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=1000 File: /home/ttank/ (read) Suggestions:

adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
add ‘home’ to ‘plugs’

I am running it on Ubuntu core and i did connect the plugs mannually

I will try it with network-control and observe now Thanks

ogra · October 15, 2021, 10:54am

are you running the command with sudo ? (that does not update $HOME to /root like it should and where the snap would have access through the connected home plug) …

rahul-tt · October 15, 2021, 11:18am

Yeah i removed sudo and the home plug recommendation in the snppy-debug does not appear. But i tried using network-control and observe plugs but nothing has changed.

I still get “getifaddrs: Operation not permitted”

The new snappy debug output when i run a ros2 client node:

= Seccomp = Time: Oct 15 11:14:40 Log: auid=1000 uid=1000 gid=1000 ses=3 pid=13349 comm=“python3” exe="/usr/bin/python3.8" sig=0 arch=c00000b7 198(socket) compat=0 ip=0xffff8f695978 code=0x50000 Syscall: socket Suggestions:

add account-control (if using NETLINK_AUDIT)
add audio-playback (if using NETLINK_KOBJECT_UEVENT)
add bluetooth-control (if using AF_{ALG,BLUETOOTH})
add firewall-control (if using NETLINK_{FIREWALL,IP6_FW,NETFILTER,NF_LOG,ROUTE})
add hardware-observe (if using NETLINK_{GENERIC,KOBJECT_UEVENT})
add netlink-audit (if using NETLINK_AUDIT)
add netlink-connector (if using NETLINK_CONNECTOR)
add network (if using AF_INET{,6}, AF_CONN, NETLINK_ROUTE)
add network-bind (if using AF_INET{,6}, NETLINK_ROUTE)
add network-control (if using AF_{APPLETALK,BRIDGE,INET,INET6,IPX,PACKET,PPPOX,SNA}, NETLINK_{DNRTMSG,FIB_LOOKUP,GENERIC,INET_DIAG,ISCSI,KOBJECT_UEVENT,RDMA,ROUTE,XFRM})
add network-observe (if using SOCK_RAW, AF_INET{,6}), NETLINK_{GENERIC,INET_DIAG,KOBJECT_UEVENT,ROUTE})
add raw-usb (if using NETLINK_KOBJECT_UEVENT)
add time-control (if using NETLINK_AUDIT)
add upower-observe (if using NETLINK_KOBJECT_UEVENT)
add x11 (if using NETLINK_KOBJECT_UEVENT)

snappy debug output when i restart the ros2 service:

= AppArmor = Time: Oct 15 11:17:44 Log: apparmor=“DENIED” operation=“mknod” profile=“snap.turftank-software.os-ros-server” name="/dev/shm/fastrtps_ff5dc87d62bcc531" pid=13425 comm=“python3” requested_mask=“c” denied_mask=“c” fsuid=0 ouid=0 File: /dev/shm/fastrtps_ff5dc87d62bcc531 (write) Suggestions:

adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*
try the snapcraft preload plugin: https://github.com/sergiusens/snapcraft-preload

ogra · October 15, 2021, 11:52am

the socket() syscall needs network-bind, try adding that to your plugs … you should also keep using sudo (but put your files into the right directories root can read) since i doubt a normal user even has permissions to even run getifaddrs()

regarding the /dev/shm access, just follow the suggestion of using the snapcraft_preload plugin … (or make your app not try to use /dev/shm directly … i think there is work going on to eventually have a shared-memory interface plug eventually, but that’s still in the planning phase and will take a while) …

rahul-tt · October 18, 2021, 6:45am

Hi @ogra , I tried adding snapcraft_preload. It works now. But it always gives an error of

“2021-09-24 14:12:02.347 [RTPS_TRANSPORT_SHM Error] Failed to create segment 212c65e604b6d84c: Permission denied -> Function compute_per_allocation_extra_size 2021-09-24 14:12:02.347 [RTPS_MSG_OUT Error] Permission denied -> Function init”

Can I know why do we need to add snapcraft preload?

Also when trying to run some apps in my snap. it displays

“ERROR: ld.so: object ‘/snap/turftank-software/x11/lib/libsnapcraft-preload.so’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.”

and it fails

ogra · October 18, 2021, 6:52am

this rather looks like your inclusion of snapcraft preload did not properly work yet …

snaps do not have direct access to /dev/shm under confinement, snapcraft preload should re-write this to an allowed location (/dev/shm/snap.$SNAP_NAME/):

github.com

sergiusens/snapcraft-preload/blob/master/preload.cpp#L195


const std::string& preload_dir = saved_snapcraft_preload;
if (preload_dir.empty()) {
    return pathname;
}
if (only_if_absolute && pathname[0] != '/') {
    return pathname;
}
// Some apps want to open shared memory in random locations. Here we will confine it to the
// snaps allowed path.
std::string redirected_pathname;
if (str_starts_with (pathname, DEFAULT_DEVSHM) && !str_starts_with (pathname, saved_snap_devshm) && !str_starts_with(pathname, saved_snap_sem)) {
    std::string new_pathname = pathname.substr(DEFAULT_DEVSHM.size());
    redirected_pathname = saved_snap_devshm + '.' + new_pathname;
    string_length_sanitize (redirected_pathname);
    return redirected_pathname;
}

rahul-tt · October 18, 2021, 7:22am

parts:
   snapcraft-preload:
   source: https://github.com/sergiusens/snapcraft-preload.git
   plugin: cmake
   build-packages:
      - on arm64:
        - g++-multilib-arm-linux-gnueabihf
        - gcc-multilib-arm-linux-gnueabihf
   organize:
        usr/local/bin/snapcraft-preload: bin/snapcraft-preload
apps:
    os-ros-server:
         command: bin/snapcraft-preload opt/ros/foxy/bin/ros2 run tt2_os_ros_server os_service
         extensions: [ros2-foxy]
         plugs: [network, network-bind, i2c-1, network-manager, network-control]
         daemon: simple
         environment:
              PYTHONPATH: $SNAP/usr/lib/python3/dist-packages:$PYTHONPATH

This is how i did in my snapcraft yaml file, is this right?

ogra · October 18, 2021, 7:24am

it surely looks like … perhaps @sergiusens can chime in here

rahul-tt · October 19, 2021, 12:42pm

Hi,

I am using network manager in my snap. When i try to run it though a shell script it displays “ERROR: ld.so: object ‘/snap//x11/lib/libsnapcraft-preload.so’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.”

But i tried to create an app which run network-manager, but that doesnt give out any errors.

I did not wrap either of them in snapcraft-preloaded.

in snappy-debug i get

“adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*”

How do i add my snap files outside the snap folder in /dev/shm?

ogra · October 19, 2021, 12:48pm

you can not, for security reasons access to /dev/shm is blocked … for apps inside the same snap you can use /dev/shm/snap.$SNAP_NAME.* …

and to have your code dynamically re-use that path without having to patch all the functions that are trying to write to /dev/shm you can use the preload library that does dynamically re-write it …

to manager network-manager you should use the network-manager interface and talk to NM via dbus (which this interface fully grants) …

artivis · October 26, 2021, 8:01am

Hi,

The /dev/shm access issue is related to FAST-RTPS(DDS) newly introduced shared-memory functionality. This is a known issue (referenced e.g. here) and we’re working on it together with eProsima. If you still have issues with snapcraft-preload, you could also try to build fastrtps/dds from source in your snap while disabling the shared-memory option; with the CMake flag SHM_TRANSPORT_DEFAULT if I’m not mistaken.