s
schwebo
·Posted in SDK

App Cabapilities in SNAP Package

I have a Exeutable packet as Snap, when i start up this SNAP on xCtrl i get the follwerd output (only a part):

i assume the reason are the missing App-Capabillities. When i run the App (as Snap) on my test VM the App there get this capabilities)

setcap cap_net_bind_service,CAP_SYS_NICE,CAP_DAC_READ_SEARCH,cap_ipc_lock,cap_net_raw+ep
 

Can anybody help me. Maybe i should create a run.sh (SNAP Command) and set the caps, whiut sudo?)

 

thanks

EDIT: hier the logs "see apparmo="DENIED" entries

2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.720586 +0000 UTC Stopped Service for snap application appengine-snap.app-engine.
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.730191 +0000 UTC Started Service for snap application appengine-snap.app-engine.
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC We are here: /snap/appengine-snap/x1/
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC Set capabilities for SICK AppEngine binary and make it executable
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.871206 +0000 UTC AVC apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.872251 +0000 UTC AVC apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.873628 +0000 UTC /snap/appengine-snap/x1/run.sh: 5: setcap: Permission denied
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.879704 +0000 UTC chmod: changing permissions of '/snap/appengine-snap/x1/AppEngine': Read-only file system
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.880742 +0000 UTC Run AppEngine
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.88111 +0000 UTC audit: type=1400 audit(1649838526.860:286268): apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.881247 +0000 UTC audit: type=1400 audit(1649838526.870:286269): apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC   ___  _  ___ _  __
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  / __|| |/ __| |/ /  SICK AppEngine 1.3.1.24
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  \__ \| | (__| ' <   Copyright (C) 2021 SICK AG
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  |___/|_|\___|_|\_\
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  A P P  E N G I N E
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013103 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/zKXWCM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013534 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/T3ZhRL" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013753 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/yHc9vM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013992 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/zAo0zN" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014204 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/hr9TIK" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014415 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/60zBQM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014629 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/PX6YRK" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014824 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/Nuz1hN" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.015042 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/yPSKJJ" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
EDIT 2:
 
new infos from the offical SNAPD form:
 

 

Best reply by nickH

Hello, 

When you install a snap in devmode, violations against a snap’s security policy are permitted to proceed but logged via journald. This can be done for debugging and can help to isolate the error.

Please have a look at this document for further information. Especially look at the part about Seccomp violations. 

 

View original
3 replies