but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid or have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.
Electron applications use this is ensure only one instance of the application is running: https:/ /chromium. googlesource. com/chromium/ chromium/ +/master/ chrome/ browser/ process_ singleton_ linux.cc#
Part of this involves creating a named socket in XDG_RUNTIME_DIR. Eg:
$ ls -l /run/user/ 1000/snap. mailspring/ .org.chromium. Chromium. Aoy3tc
total 0
lrwxrwxrwx 1 jamie jamie 19 Nov 8 10:19 SingletonCookie -> 8465438638122226111
srwxr-xr-x 1 jamie jamie 0 Nov 8 10:19 SS
In snappy, we have the following rule:
owner /run/user/ [0-9]*/ snap.@{ SNAP_NAME} /** mrwklix,
Under certain circumstances[1] a read denial pops out due to owner mismatch:
apparmor=“DENIED” operation= “file_perm” profile= “snap.mailsprin g.mailspring” name="/ run/user/ 1000/snap. mailspring/ .org.chromium. Chromium. Aoy3tc/ SS" pid=17066 comm=“mailspring” requested_mask=“r” denied_mask=“r” fsuid=1000 ouid=0
but on the filesystem the file is owned by 1000:1000 (the application is run by the non-root user and the application isn't setuid or have file ACLs). I don't yet have a simplified reproducer for this, but (a complex) one exists in the forum[1]. Adding the aa-kernel task for now.
[1]https:/ /forum. snapcraft. io/t/electron- snap-killed- when-using- app-makesinglei nstance- api/2667/ 20