Hi,
Based on this code https://github.com/snapcrafters/sublime-text/blob/master/snap/snapcraft.yaml I’m trying to create a snap package but with strict confinement.
When I try I get the following error:
Mar 03 16:10:46 hostname kernel: audit: type=1400 audit(1614787846.542:126807): apparmor=“DENIED” operation=“mknod” profile=“snap.sublime-text.subl” name="/dev/shm/122560:subl_api_send" pid=122560 comm=“sublime_text” requested_mask=“c” denied_mask=“c” fsuid=1000 ouid=1000
As shown in /var/lib/snapd/apparmor/profiles/snap.sublime-text.subl these are the allowed files on /dev/shm using strict confinement:
App-specific access to files and directories in /dev/shm. We allow file
access in /dev/shm for shm_open() and files in subdirectories for open()
bind mount not used here (see ‘parallel installs’, above)
/{dev,run}/shm/snap.@{SNAP_INSTANCE_NAME}.** mrwlkix,
Also allow app-specific access for sem_open()
/{dev,run}/shm/sem.snap.@{SNAP_INSTANCE_NAME}.* mrwlk,
Can you add support for strict confinement ?