I'm trying to get an application working with snapd and have run into some issues regarding AppArmor permisions. It seems that in order to have my app be fully functional, it needs some custom AppArmor rules that aren't provided by any of the existing interfaces.
I'm able to get things working by manually adding additional rules to the app's AppArmor profile after snap installation under /var/lib/snapd/apparmor/profiles/, like this:
/sys/devices/** r,
/sys/class/net/eth0/address r,
/dev/sda1 r,
capability sys_rawio,
Is there a way to have the Snap automatically configure these when it's installed, or will I need to maintain custom post-install scripts in order to make these changes?
The bottom of this page shows yaml syntax that suggests it may be possible:
services:
- name: bar # uses 'default' template with 'network-client' cap
- name: baz # uses 'default' template with specified caps
caps:
- network-client
- norf-framework_client
- name: qux # uses 'nondefault' template with no caps
security-template: nondefault
- name: quux
security-policy: # uses custom security policy as defined by relative paths
apparmor: meta/quux.aa
seccomp: meta/quux.sc
but this is in reference to Ubuntu 15.10 (I'm using 16.04), and it appears to use syntax (e.g., 'services' instead of 'apps') not currently supported by snapd. Thanks for any help you can provide.
Best Answer
In 16.04 the way to do this is with an 'interface' defined in the snapd code, that is driven by a custom schema in your snap definition. There are a bunch already defined, and it looks like all you need are:
You're unlikely to get a blanket /sys/devices/* landed, but I suspect you actually need specific types of access to specific types of devices, and those can all be designed and landed.
The best place to hash out what you need is in #snappy on freenode IRC, chat with zyga for pointers to code describing existing interfaces. Should be a simple patch to work up.