2017-11-08 18:08:40 |
Jamie Strandboge |
description |
Electron applications use this is ensure only one instance of the application is running: https://chromium.googlesource.com/chromium/chromium/+/master/chrome/browser/process_singleton_linux.cc#
Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:
$ ls -l /run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS
In snappy, we have the following rule:
owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
Under certain circumstances[1] a read denial pops out due to owner mismatch:
apparmor=“DENIED” operation=“file_perm” profile=“snap.mailspring.mailspring” name="/run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc/SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid or have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.
[1]https://forum.snapcraft.io/t/electron-snap-killed-when-using-app-makesingleinstance-api/2667/20 |
Electron applications use this to ensure only one instance of the application is running: https://chromium.googlesource.com/chromium/chromium/+/master/chrome/browser/process_singleton_linux.cc#
Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:
$ ls -l /run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS
In snappy, we have the following rule:
owner /run/user/[0-9]*/snap.@{SNAP_NAME}/** mrwklix,
Under certain circumstances[1] a read denial pops out due to owner mismatch:
apparmor=“DENIED” operation=“file_perm” profile=“snap.mailspring.mailspring” name="/run/user/1000/snap.mailspring/.org.chromium.Chromium.Aoy3tc/SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid and doesn't have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.
[1]https://forum.snapcraft.io/t/electron-snap-killed-when-using-app-makesingleinstance-api/2667/20 |
|