cancel
Showing results for 
Search instead for 
Did you mean: 
SOLVED

App Cabapilities in SNAP Package

App Cabapilities in SNAP Package

schwebo
Established Member

I have a Exeutable packet as Snap, when i start up this SNAP on xCtrl i get the follwerd output (only a part):

schwebo_0-1649761595002.png

i assume the reason are the missing App-Capabillities. When i run the App (as Snap) on my test VM the App there get this capabilities)

setcap cap_net_bind_service,CAP_SYS_NICE,CAP_DAC_READ_SEARCH,cap_ipc_lock,cap_net_raw+ep
 

Can anybody help me. Maybe i should create a run.sh (SNAP Command) and set the caps, whiut sudo?)

 

thanks

EDIT: hier the logs "see apparmo="DENIED" entries

2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.720586 +0000 UTC Stopped Service for snap application appengine-snap.app-engine.
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.730191 +0000 UTC Started Service for snap application appengine-snap.app-engine.
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC We are here: /snap/appengine-snap/x1/
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.86705 +0000 UTC Set capabilities for SICK AppEngine binary and make it executable
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.871206 +0000 UTC AVC apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:46Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.872251 +0000 UTC AVC apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.873628 +0000 UTC /snap/appengine-snap/x1/run.sh: 5: setcap: Permission denied
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.879704 +0000 UTC chmod: changing permissions of '/snap/appengine-snap/x1/AppEngine': Read-only file system
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.880742 +0000 UTC Run AppEngine
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.88111 +0000 UTC audit: type=1400 audit(1649838526.860:286268): apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.881247 +0000 UTC audit: type=1400 audit(1649838526.870:286269): apparmor="DENIED" operation="exec" profile="snap.appengine-snap.app-engine" name="/usr/sbin/setcap" pid=686877 comm="run.sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC   ___  _  ___ _  __
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  / __|| |/ __| |/ /  SICK AppEngine 1.3.1.24
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  \__ \| | (__| ' <   Copyright (C) 2021 SICK AG
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  |___/|_|\___|_|\_\
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:46.999269 +0000 UTC  A P P  E N G I N E
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013103 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/zKXWCM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013534 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/T3ZhRL" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013753 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/yHc9vM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.013992 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/zAo0zN" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014204 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/hr9TIK" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014415 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/60zBQM" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014629 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/PX6YRK" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.014824 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/Nuz1hN" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2022-04-13T08:28:47Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-13 08:28:47.015042 +0000 UTC AVC apparmor="DENIED" operation="mknod" profile="snap.appengine-snap.app-engine" name="/dev/shm/yPSKJJ" pid=686879 comm="AppEngine" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
EDIT 2:
 
new infos from the offical SNAPD form:
 
schwebo_0-1649848627807.png

 

3 REPLIES 3

nickH
Community Moderator
Community Moderator

It seems like mknod tries to add folders and files to a area that it cannot access. Please keep in mind that snaps by default run in thier sandbox. Interfaces allow access to a resource outside of a snap’s confinement. You can have a look at the system files interface.

Please also have a look to this thread, someone ran into a similar problem.

 

schwebo
Established Member

Good Morning, thank you for reply,  and now i have a further question:

First of all, i got root Rights for the XCtrl device, when i install my app with ssh snap install --devmode, my snap is successfull working.

If install the snap with the offical way (webservice) i got followd error in the output:

 

2022-04-19T07:51:24Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:24.52767 +0000 UTC SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3466674 comm="AppEngine" exe="/snap/appengine-snap/x1/AppEngine" sig=0 arch=c00000b7 syscall=122 compat=0 ip=0x7fb13a72b4 code=0x50000
2022-04-19T07:51:24Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:24.528266 +0000 UTC [07:51:24.528: SEVERE: AppEngine.Debug] Whoops...Not ROOT!!! Cannot set correct task properties for task 'SysCtrlTask'
2022-04-19T07:51:24Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:24.530502 +0000 UTC audit: type=1326 audit(1650354684.520:2048377): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3466674 comm="AppEngine" exe="/snap/appengine-snap/x1/AppEngine" sig=0 arch=c00000b7 syscall=122 compat=0 ip=0x7fb13a72b4 code=0x50000
2022-04-19T07:51:29Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:29.566929 +0000 UTC SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3466674 comm="AppEngine" exe="/snap/appengine-snap/x1/AppEngine" sig=0 arch=c00000b7 syscall=122 compat=0 ip=0x7fb13a72b4 code=0x50000
2022-04-19T07:51:29Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:29.567546 +0000 UTC [07:51:29.566: SEVERE: AppEngine.Debug] Whoops...Not ROOT!!! Cannot set correct task properties for task 'AppEngineOutput'
2022-04-19T07:51:29Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:29.580522 +0000 UTC audit: type=1326 audit(1650354689.560:2048378): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3466674 comm="AppEngine" exe="/snap/appengine-snap/x1/AppEngine" sig=0 arch=c00000b7 syscall=122 compat=0 ip=0x7fb13a72b4 code=0x50000
2022-04-19T07:51:30Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:30.375551 +0000 UTC ||080E0410|Trace warning web.common.logger|||||remoteagent.status|ctrlxDevice.go|ctrlxcore.(*ctrlXDevice).updateStatus|406|Failed update status: failed to update the status on device portal. Error: Patch "https://cert.device.deviceportal.bosch.com/bulk/v2/devicestatus": dial tcp: lookup cert.device.deviceportal.bosch.com: Temporary failure in name resolution
2022-04-19T07:51:34Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:34.568138 +0000 UTC SECCOMP auid=4294967295 uid=0 gid=0 ses=4294967295 pid=3466674 comm="AppEngine" exe="/snap/appengine-snap/x1/AppEngine" sig=0 arch=c00000b7 syscall=122 compat=0 ip=0x7fb13a72b4 code=0x50000
2022-04-19T07:51:34Z ctrlx-CORE /snap/rexroth-deviceadmin/970/bin/wasp[1575] 2022-04-19 07:51:34.568681 +0000 UTC [07:51:34.568: SEVERE: AppEngine.Debug] pthread_create returned 1 in file /home/jenkins-slave/jenkinsroot-csxjenkins-gbc05/workspace/Control/SICKAppEngine/SAE_trunk@2/conan/.conan/data/EDP_BASE/7.2.5/builder/release_withFix/source/BASE/src/Core/private/Linux/PeriodicTimer.cpp

 

can you give some hints!? 

 

Thank you very much for your time

 

EDIT: i got some infor from our developer, the problem relates to the setcap command, i need special capabilities

setcap cap_net_bind_service,CAP_SYS_NICE,cap_ipc_lock,cap_net_raw+ep $instdir/AppEngine

chmod +x $instdir/AppEngine

is the a SNAP workorund!?

nickH
Community Moderator
Community Moderator

Hello, 

When you install a snap in devmode, violations against a snap’s security policy are permitted to proceed but logged via journald. This can be done for debugging and can help to isolate the error.

Please have a look at this document for further information. Especially look at the part about Seccomp violations. 

 

Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist