Vmanager Snap Classic confinement

store
1

Hello everyone,

I need the the following app of ours to be aloud Classic Confinement.

The app is generating Backup files of the external devices it supports, the backups are stored in the /home/user/snap/vmanager/common/Backups folder, but want the user to press a button and open the folder in the file explorer for that we are using:
system(“xdg-open /home/user/snap/vmanager/common/Backups”);

You can find the debian version of the app below:
http://www.visualproductions.nl/downloads.html

2

Can you describe in more detail why you are requesting classic confinement? Does vmanager backup resources from the network? From the local machine? Do you only want classic confinement for the filemanager issue? Would the home interface suffice?

3

Hello @jdstrand,

Thank for the quick reply,

The file system issue is the only functionality that needs the classic confinement. The app works perfectly fine with the strict confinement.

To explain the issue better: All our apps create some metadata, for example options.xml, logs, etc and some shared metadata like backups ( of the external devices we manufacture not of the system ). Until now while we were distributing the apps through our website with .deb file format, when you installed the app and run it all the metadata where created and store in the home directory under a folder we created called Visual Productions/(the specific app or shared data). Now that we are redirected to the snap directory, it would be confusing for our customers that we changed the directory, so what we want is a button that opens the folder for them. That is all. The only reason we need the classic confinement.

This will also need to apply for 3 of our other apps that are already on the store with strict confident (Cuety, Kiosc, Kiosc Editor) I am also going to link you to the at the end of the post.

Greetings,

Michael.

Kiosc
Kiosc Editor
https://uappexplorer.com/snap/ubuntu/cuety

4

I wonder if instead of classic confinement you could instead use the home interface and adjust your program to use getpwent() to obtain the user’s home directory rather than relying on $HOME. Alternatively, you could create a small wrapper for your program that does:

#!/bin/sh -e
myid=$(id -u)
myhome=$(getent passwd "$myid" | cut -d ':' -f 6)
cd "$myhome"
mkdir "Visual Productions"
exec "$SNAP/path/to/your/app" "$@"
5

Hello @jdstrand

That would actually be really great and I will try it shortly, although the button is vital at this point. In the same lines Windows, and macOS redirect us to their sandboxing area and we use the strategy. And we would like to keep the consistency, for example some users use to platforms.

Greetings,

Michael.

6

I guess I don’t understand the ‘button to folder’ functionality, why it doesn’t work in strict mode and why classic is required. Can you give a description of what the user and app are supposed to do (eg, open the app, press this button, the app does this, the user does that, etc). Can you put your snap in strict mode, then can you paste the security denials after you exercise the application for your ‘button to folder’ functionality? (eg, journalctl | grep audit).

7

Hello @jdstrand,

Ok for example:

  • The user opens the app, and wants to restore one of the devices to the backup he has in his flash drive.
  • Now he will open the Restore Dialog, Press open “Folder” to go to the backup folder and he can right click paste the file from his flash drive.
  • Now he can go back to the app and restore his device.

The error I am getting in strict confinement is: sh: 1: xdg-open: Permission denied

Greetings,

Michael.

8

Is there a security denial in your logs for xdg-open? Eg: run journalctl | grep audit and paste the results for anything after you exercise the feature in your snap.

9

Hello @jdstrand,

Sorry for the delay.

Here is the result: I wasn’t sure if you needed only the vManager specific or everything so I am posting everything.

 okt 20 09:10:02 jurrien-desktop kernel: audit: initializing netlink subsys (disabled)
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=2000 audit(1508483400.656:1): initialized
 okt 20 09:10:02 jurrien-desktop audit[767]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined"                             name="/usr/lib/snapd/snap-confine" pid=767 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[767]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=767 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[758]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined"      name="/usr/lib/lightdm/lightdm-guest-session" pid=758 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[758]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lightdm/lightdm-guest-session//chromium" pid=758 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[768]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=768 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.884:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/snapd/snap-confine" pid=767 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.884:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"      pid=767 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.884:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lightdm/lightdm-guest-session" pid=758 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.884:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/lightdm/lightdm-guest-session//chromium" pid=758 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.884:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=768 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[759]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[759]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[759]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[759]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[770]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=770 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[770]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=770 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[770]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=770 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[760]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/2844/usr/lib/snapd/snap-confine" pid=760 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[760]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/2844/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=760 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.888:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.888:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.888:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop kernel: audit: type=1400 audit(1508483402.888:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=759 comm="apparmor_parser"
 okt 20 09:10:02 jurrien-desktop audit[771]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/ippusbxd" pid=771 comm="apparmor_parser"

okt 20 09:10:02 jurrien-desktop audit[774]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/sbin/tcpdump" pid=774 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince//sanitized_helper" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince-previewer" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince-previewer//sanitized_helper" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince-thumbnailer" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[763]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/evince-thumbnailer//sanitized_helper" pid=763 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[762]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine" pid=762 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[762]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=762 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[761]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/snap/core/2898/usr/lib/snapd/snap-confine" pid=761 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[761]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/snap/core/2898/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=761 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[804]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/lightdm/lightdm-guest-session" pid=804 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[804]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/lightdm/lightdm-guest-session//chromium" pid=804 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[813]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/2844/usr/lib/snapd/snap-confine" pid=813 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[813]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/2844/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=813 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[811]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/sbin/dhclient" pid=811 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[811]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=811 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[811]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=811 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[811]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/connman/scripts/dhclient-script" pid=811 comm=“apparmor_parser”
okt 20 09:10:02 jurrien-desktop audit[822]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/2898/usr/lib/snapd/snap-confine" pid=822 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[822]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/2898/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=822 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[824]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine" pid=824 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[824]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=824 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince//sanitized_helper" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince-previewer" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince-previewer//sanitized_helper" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince-thumbnailer" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[831]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/bin/evince-thumbnailer//sanitized_helper" pid=831 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[836]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/snapd/snap-confine" pid=836 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[836]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=836 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[849]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/sbin/cups-browsed" pid=849 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[864]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/lib/cups/backend/cups-pdf" pid=864 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[864]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/sbin/cupsd" pid=864 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[864]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/sbin/cupsd//third_party" pid=864 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[871]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/sbin/ippusbxd" pid=871 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[874]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/usr/sbin/tcpdump" pid=874 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[975]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.kiosc.kiosc” pid=975 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[972]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.core.hook.configure” pid=972 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[973]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.cuety.cuety” pid=973 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[974]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.kiosceditor.kiosceditor” pid=974 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[978]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.snappy-debug.security” pid=978 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[976]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.krita.krita” pid=976 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[979]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.vmanager.vmanager” pid=979 comm=“apparmor_parser”
okt 20 09:10:03 jurrien-desktop audit[977]: AVC apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“snap.remote.remote” pid=977 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1322]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine" pid=1322 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1322]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name="/snap/core/3017/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1322 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1325]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.core.hook.configure” pid=1325 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1356]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.cuety.cuety” pid=1356 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1363]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.kiosc.kiosc” pid=1363 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1369]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.kiosceditor.kiosceditor” pid=1369 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1380]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.krita.krita” pid=1380 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1389]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.remote.remote” pid=1389 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1396]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.snappy-debug.security” pid=1396 comm=“apparmor_parser”
okt 20 09:10:04 jurrien-desktop audit[1404]: AVC apparmor=“STATUS” operation=“profile_replace” profile=“unconfined” name=“snap.vmanager.vmanager” pid=1404 comm=“apparmor_parser”
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“connect” profile=“snap.vmanager.vmanager” pid=3790 comm=“vmanager” family=“unix” sock_type=“stream” protocol=0 requested_mask=“send receive connect” denied_mask=“send connect” addr=none peer_addr="@/tmp/dbus-3SM4kubOi3" peer=“unconfined”
okt 20 09:10:35 jurrien-desktop kernel: kauditd_printk_skb: 61 callbacks suppressed
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.424:72): apparmor=“DENIED” operation=“connect” profile=“snap.vmanager.vmanager” pid=3790 comm=“vmanager” family=“unix” sock_type=“stream” protocol=0 requested_mask=“send receive connect” denied_mask=“send connect” addr=none peer_addr="@/tmp/dbus-3SM4kubOi3" peer=“unconfined”
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/etc/pulse/client.conf" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1366883868" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-169535614" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-131082967" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1088988159" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-2093518101" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“mknod” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-689717037" pid=3790 comm=“vmanager” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:73): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/etc/pulse/client.conf" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:74): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1366883868" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:75): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-169535614" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:76): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-131082967" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:77): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1088988159" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:78): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-2093518101" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:79): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-2016536552" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:80): apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1384928078" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop kernel: audit: type=1400 audit(1508483435.500:81): apparmor=“DENIED” operation=“mknod” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-689717037" pid=3790 comm=“vmanager” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1366883868" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-169535614" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-131082967" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1088988159" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-2093518101" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-2016536552" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“open” profile=“snap.vmanager.vmanager” name="/dev/shm/pulse-shm-1384928078" pid=3790 comm=“vmanager” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=1000
okt 20 09:10:35 jurrien-desktop audit[3790]: AVC apparmor=“DENIED” operation=“connect” profile=“snap.vmanager.vmanager” name="/run/user/1000/pulse/native" pid=3790 comm=“vmanager” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000
okt 20 09:10:43 jurrien-desktop audit[3924]: AVC apparmor=“DENIED” operation=“exec” profile=“snap.vmanager.vmanager” name="/usr/bin/xdg-open" pid=3924 comm=“sh” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0
okt 20 09:10:43 jurrien-desktop kernel: kauditd_printk_skb: 8 callbacks suppressed
okt 20 09:10:43 jurrien-desktop kernel: audit: type=1400 audit(1508483443.556:90): apparmor=“DENIED” operation=“exec” profile=“snap.vmanager.vmanager” name="/usr/bin/xdg-open" pid=3924 comm=“sh” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0

Greetings,

Michael.

10

What version of snapd are you using? xdg-open is allowed by both the desktop and unity7 interfaces. Have you specified one or both of these interfaces in the plugs of your snap.yaml? Are the interfaces connected?

What are you passing to xdg-open? A ‘file:///’ URL?

11

Hello @jdstrand,

Sorry for the delay.

To xdg-open I am passing the path tot he file. Like in the example below.

void OpenFolder(const string& a_folder) {
    string s("xdg-open ");
    if( !a_folder.empty() ) {
        s += a_folder;
        system(s.c_str());
    }
}

I am using snap and snapd 2.28.1

I don’t know how to specify the plugins to the snap yalm.

Greetings,

Michael.

12

take a look at this snapcraft.yaml in the “plugs:” line you define which interface plugs your app is allwed use, make such a line in your own snapcraft.yaml and make sure the list contains either “desktop” or “unity7” to enable your app to execute xdg-open.

13

Hello @orga,

Thank you for the quick reply, I just tried what you suggested and got this error:

Error org.freedesktop.DBus.Error.ServiceUnknown: The name io.snapcraft.Launcher was not provided by any .service files
Error org.freedesktop.DBus.Error.ServiceUnknown: The name com.canonical.SafeLauncher was not provided by any .service files

and here is a look at my .yalm file:

apps:
vmanager:
command: vmanager
plugs: [network, network-bind, x11, opengl, home. desktop, unity7]

Greetings,

Michael.

14

Ok, so (disregarding the DBus error), you are using xdg-open from the core snap, which is normally what you want because it will allow you to open an external application for the URL in question.

Unfortunately, the xdg-open in the core snap does not handle file:/// URLs. Normally, the non-snappy xdg-open when given a file URL will look at the mime type of the URL you give it and open it with the default application for that mime type. In your case, you give a directory so the file manager is opened.

This is an interesting use case that (at least I) had not considered. @niemeyer and @jamesh, as a thought experiment, let’s consider modifying snapd’s userd to handle file:/// URLs. AFAICT, the expectation of using xdg-open is that the snap would never be given this file again, so it is a one-way action (ie, the snap doesn’t gain access to the file in question, only launches something else on it). An implementation might have userd verify if the specified file is accessible to the snap already (ie, via libapparmor). My main concern is that a malicious snap could exploit bugs in unconfined default mime handlers. For example, there is an exploitable code execution bug in an image library that allows code execution. The malicious snap ships a crafted image then calls xdg-open $SNAP/bad.png, this is in the application’s readable area, so pass that along to the system xdg-open, which opens eog unconfined, which the snap can then control via the code execution bug and break out of confinement. This is precisely what snappy confinement is supposed to address-- any exploitable bugs are supposed to be limited to the snap itself. Part of the problem here is that the user isn’t given a choice to open the file. Limiting this to a directory addresses that but if given the choice, the user could be tricked into opening a crafted file easily enough.

We have some knobs though (that can be used in combination):

  1. userd could just pass file:/// URLs straight to xdg-open
  2. userd could check if the file:/// URL is accessible to the snap, if so, pass to xdg-open
  3. userd could only handle file URLs for directories
  4. userd could only handle file URLs for directories and could check if the file:/// URL is accessible to the snap, if so, pass to xdg-open
  5. userd file:/// URLs use a different DBus API that we only allow in transitional interfaces (eg, desktop-legacy and unity7)
  6. userd file:/// URLs use a different DBUS API that we allow in a separate manually connected interface (or via an interface attribute of desktop-legacy)
  7. userd would only open file handlers under confinement (eg, another strict mode snap)

I was trying to think through if portals could be of use, but I don’t think so-- the file chooser is about giving access to a file to the application so it can do with it what it wants, it isn’t about launching other applications on the requesting app’s behalf.

If we were going to support this, I’m sorta thinking this is perhaps a combination of ‘2’ and ‘5’. Since the user can be phished, ‘3’ and ‘4’ don’t buy us much. Limiting to what the snap can access (‘2’) seems to have merit. ‘2’ and ‘6’ is possible too: it allows us to mediate the file:/// access via snap declaration and user choice. ‘7’ is interesting to think about, but it allows for the calling snap to exploit bugs in the called snap to exfiltrate data; not to mention, I strongly suspect that people would want to call classic snaps.

15

To more specifically answer you: today you cannot use xdg-open in this manner unless you ship your own xdg-open and have it open an application in your snap. Eg, you ship a small file chooser and an editor and have your xdg-open your file chooser. I realize this probably isn’t an attractive option for you. Of course if this is what you wanted, you wouldn’t need xdg-open at all.

An alternative, today, would be to disable the OpenFolder functionality and provide guidance to your users to open the files themselves outside of your app, at least until snapd/userd provides something better for you. Since strict mode confinement is desirable, I encourage you to consider this option.

If these options are unacceptable, the only option is classic confinement today.

16

Hello @jdstrand,

This is disappointing, if it wasn’t important I wouldn’t push for it but it is. I have found this snapd implementation of xdg-open, snapd-xdg-open would it work as an alternative if I integrate it in my application?

Greetings,

Michael.

17

No, snapd-xdg-open is the receiver that used to run in the users desktop session, it used to listen for data from the xdg-open the core snap that @jdstrand mentioned (which is only a special forwarder). With the recent change to have snapd do the user-session part snapd-xdg-open is obsolete, you do not want to have it installed anywhere (neither in the session nor in the snap (where it would be a no-op anyway)).

I think the only proper way here would be to make the new “userd” handle file:/// URLs somehow, but i guess that would need a complete new interface since it will allow access to random files on the filesystem if it does not get properly restricted … (though i guess simply allowing files from $HOME if the home interface is enabled anyway for the specific snap should not be to hard)

18

Hello @orga,

Thanks for the quick reply. Is there an example you could point me to for inspiration?

Greetings,

Michael.

19

userd is part of the snapd source, there is nothing i could point you to to “just make this work”, it needs code changes (currently only http, https and mailto get accepted as protocols AFAIK)

20

I listed quite a few options in my previous post. I think this needs design discussion (which is why I pinged @niemeyer and @jamesh). I think it is possible to support this. The question is whether or not it fits into the snap story (since it weakens the security stance) and if it does, how to expose that to snaps. Tying it to a transitional interface makes some sense to me, because desktop-legacy, x11 and unity7 all are more problematic than calling xdg-open with a filtered file:/// URL.