Permission problems with the snap

[ychaouche]

Preconditions

10:46:21 ~ -1- $ tango -v
Tango version 1.1.1 (21f4d3dbc8836d4200b0fefca28f982847620c9a)
11:13:31 ~ -1- $

Steps to reproduce

$ tango journey -l /tmp/access.log -r /tmp/access.log.journey

or

$ tango journey -l /mnt/data/access.log -r /mnt/data/access.log.journey

Expected result

Should run

Actual results

either permission denied or file not found.

10:44:17 ~ -1- $ tango journey -l /tmp/roundcube.access -r TMP/roundcube.access.journey
💃 Tango is on the scene!
💃 started to generate a visitor's journey report...
💃 reading access logs...
2023/03/22 10:46:21 open /tmp/roundcube.access: no such file or directory
11:13:31 ~ -1- $ ls /tmp/roundcube.access
-rwxr-xr-x 1 ychaouche ychaouche 3.4M Mar 22 10:22 /tmp/roundcube.access
11:17:42 ~ -1- $


09:35:27 ~ -1- $ tango journey -l DATA/roundcube.access -r DATA/roundcube.access.journey
💃 Tango is on the scene!
💃 started to generate a visitor's journey report...
💃 reading access logs...
2023/03/22 09:35:28 open DATA/roundcube.access: permission denied
09:35:28 ~ -1- $ ls DATA/roundcube.access -r
-rwxrwxrwx 1 root root 3.4M Mar 22 09:26 DATA/roundcube.access
09:35:34 ~ -1- $

commentary

The problem seems to come from apparmor.
Here's what's in my syslog

Mar 22 09:35:11 ychaouche-PC kernel: [ 2484.149862] audit: type=1400 audit(1679474111.364:138): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=8910 comm="tango" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 22 09:35:28 ychaouche-PC kernel: [ 2501.473736] audit: type=1400 audit(1679474128.688:139): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=8958 comm="tango" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 22 09:37:00 ychaouche-PC dbus[1082]: [system] Activating service name='org.freedesktop.systemd1' (using servicehelper)
Mar 22 09:37:00 ychaouche-PC dbus[1082]: [system] Successfully activated service 'org.freedesktop.systemd1'
Mar 22 09:38:15 ychaouche-PC kernel: [ 2668.112283] audit: type=1400 audit(1679474295.329:140): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=9044 comm="tango" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 22 09:42:39 ychaouche-PC kernel: [ 2932.648803] audit: type=1400 audit(1679474559.875:141): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=9158 comm="tango" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Mar 22 09:42:59 ychaouche-PC kernel: [ 2951.837491] audit: type=1400 audit(1679474579.064:142): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=9196 comm="tango" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 22 09:44:07 ychaouche-PC kernel: [ 3019.986808] audit: type=1400 audit(1679474647.216:143): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=9528 comm="tango" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mar 22 09:44:24 ychaouche-PC kernel: [ 3036.962988] audit: type=1400 audit(1679474664.192:144): apparmor="DENIED" operation="open" profile="snap.tango.tango" name="/mnt/partage_local/DATA/roundcube.access" pid=9566 comm="tango" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Looking at the apparmor profile,
(/var/lib/snapd/apparmor/profiles/snap.tango.tango)
I could find that there's a read acces to /tmp/,
but also read a comment about /tmp/ being created for each specific snap,
so I'm not sure which is which

  # The ubuntu-core-launcher creates an app-specific private restricted /tmp
  # and will fail to launch the app if something goes wrong. As such, we can
  # simply allow full access to /tmp.
  /tmp/   r,
  /tmp/** mrwlkix,