gopaste example fails because sqlite tries to chown
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snapcraft |
Won't Fix
|
Low
|
Leo Arias |
Bug Description
The gopaste service from the snapcraft example doesn't work. With snappy-debug it shows that:
sysctl: permission denied on key 'kernel.
= Seccomp =
Time: Jan 15 19:12:58
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=1142 comm="gopasted" exe="/snaps/
Syscall: fchown
Suggestions:
* don't copy ownership of files (eg, use 'cp -r --preserve=mode' instead of 'cp -a')
* adjust program to not use 'fchown'
<jdstrand> elopio: you can't use the chown family of syscalls because of two things: we don't have per-app uids so the chown doesn't make sense under most cases, and for those cases that do make sense, we need syscall argument filtering
<jdstrand> put more simply, do what it suggested and adjust to not use chown
<jdstrand> the hope is we'll have argument filtering for seccomp and can loosen that up a bit
<jdstrand> for 16.04
<elopio> hum, the chown seems to come from here: https:/
<sergiusens> elopio, sqlite is not going to work without patching
Changed in snapcraft: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in snapcraft: | |
milestone: | none → 2.7 |
assignee: | nobody → Leo Arias (elopio) |
Changed in snapcraft: | |
milestone: | 2.7 → none |
<sergiusens> elopio, oh, for gopasted we can use the security-override and add fchown to the valid syscalls /github. com/ubuntu- core/snapcraft/ pull/237
Workaround: https:/