Wine-based snap, logos9, can't start child process(es)

I’m trying to make the wine-based snap package logos9 work under strict confinement. It works fine in devmode, but then seems to fail to start child process(es) when run in jailmode. Here’s the specific error I see in the winedebug output:

System.ComponentModel.Win32Exception: Accès refusé
   at System.Diagnostics.NtProcessManager.GetModuleInfos(Int32 processId, Boolea
n firstModuleOnly)
   at System.Diagnostics.NtProcessManager.GetFirstModuleInfo(Int32 processId)
   at System.Diagnostics.Process.get_MainModule()
   at LDLS4.OurApp.Main(String[] astrArgs)
wine: Unhandled exception 0xe0434352 in thread 120 at address 000000007B0118AD (thread 0120), starting debugger...
0130:err:unwind:install_bpf Unexpected status 0xffffffff, errno 1.
Can't attach process 011c: error 5

I’m not well-versed in AppArmor and Seccomp, but it seems like this is the relevant Seccomp violation:

= Seccomp =
Time: Nov 26 12:32:01
Log: auid=1000 uid=1000 gid=1000 ses=3 subj=snap.logos9.logos9 pid=1179452 comm="wineserver" exe="/snap/logos9/11/wine-platform/wine-staging/bin/wineserver" sig=0 arch=c000003e 101(ptrace) compat=0 ip=0x7f5af431c71f code=0x50000
Syscall: ptrace

But I’ve already enabled process-control, system-observe, and system-trace plugs, thinking at least one of those would fix the problem:

$ snap connections logos9
Interface                 Connecteur                      Prise                               Notes
# [...]
process-control           logos9:process-control          :process-control                    manual
system-observe            logos9:system-observe           :system-observe                     manual
system-trace              logos9:system-trace             :system-trace                       manual
# [...]

Here’s part of the snapcraft.yaml:

name: logos9

grade: devel # must be 'stable' to release into candidate/stable channels
confinement: devmode # use 'strict' once you have the right plugs and slots
architectures:
  - amd64

environment:
  TRICKS: "dotnet48 corefonts ddr=gdi fontsmooth=rgb"
  WINEDLLOVERRIDES: "mscoree,mshtml=" # Prevent pop-ups about Wine Mono and Wine Gecko

apps:
  logos9:
    extensions: [gnome-3-28]
    command: bin/sommelier run-exe
    environment:
      RUN_EXE: "C:/users/$USER/AppData/Local/Logos/Logos.exe"
      # RUN_EXE: "C:/users/$USER/AppData/Local/Logos/System/Logos.exe"
      INSTALL_URL: https://downloads.logoscdn.com/LBS9/Installer/9.9.0.0011/Logos-x64.msi
      # INSTALL_FLAGS: /silent # optional commandline flags to pass to the installer
    plugs:
      - audio-playback
      - home
      - network
      - network-manager-observe
      - process-control
      - system-observe
      - system-trace
      - udisks2

Any suggestions on how I can move forward on this? The snap is available from the Snap Store on the edge channel:

snap install logos9 --edge --jailmode # or --devmode

Reference:

Has nobody run into this before? I’ve tried filtering and understanding the winedebug output while running the app, but it’s all new territory for me and I don’t understand Windows function calls at all (yet!).

Did I even identify the correct Seccomp violation? It would be helpful to know if I’m at least on the right track.

It turns out that the problem is related to how dotnet tries to modify a child process. It uses a system call that could modify any process, since it takes an arbitrary PID as the first argument. This is a snap no-no, although supposedly there’s a workaround using a manually-connected process-control plug (but it’s not working for me). But this manual CLI step would still be a pain for normal users.

Further info at these links:

I believe this was fixed in .net5 dotnet core 3.1 self-contained snap · Issue #1634 · dotnet/runtime · GitHub

Change new thread’s affinity after thread starts, from the same thread, as a workaround for Snap by kouvel · Pull Request #40205 · dotnet/runtime · GitHub

I’ve seen that, thanks. However, this app uses dotnet 4.8, and I don’t know of any way to proceed in that case.