Access to $HOME/.local/share/keyrings via personal-files interface not working as expected

snap
1

Hi everyone,

I’m currently developing a Snap (with strict confinement) that needs access to the local GNOME keyring in order to configure the default keyring file located at $HOME/.local/share/keyrings/default.

Here is the relevant part of my snapcraft.yaml:

name: elam-solutions
version: '0.2'
grade: devel

base: core22
confinement: strict

plugs:
  dot-local-share-keyrings:
    interface: personal-files
    write:
      - $HOME/.local/share/keyrings

parts:
  agent:
    plugin: dotnet
    dotnet-build-configuration: Release
    dotnet-self-contained-runtime-identifier: linux-x64
    source: .
    build-packages:
      - dotnet-sdk-8.0
    stage-packages:
      - libicu70

apps:
  agent:
    command: POC.Snap.Service
    daemon: simple
    restart-condition: always
    plugs:
      - dot-local-share-keyrings
      - network

I install the snap with:

sudo snap install elam-solutions.snap --devmode --dangerous

Then I connect the plug:

sudo snap connect elam-solutions:dot-local-share-keyrings

And restart the snap:

sudo snap restart elam-solutions

However, when the service tries to write to the keyring file, I get the following output from snappy-debug and without --devmode the access is not working at all:

= AppArmor =
Time: Apr  8 12:38:08
Log: apparmor="ALLOWED" operation="truncate" class="file" profile="snap.elam-solutions.agent" name="/home/armbruster/.local/share/keyrings/default" pid=3972 comm="POC.Snap.Servic" requested_mask="w" denied_mask="w" fsuid=0 ouid=1000
File: /home/armbruster/.local/share/keyrings/default (write)
Suggestions:
* adjust program to write to $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
* add 'personal-files (see https://forum.snapcraft.io/t/the-personal-files-interface for acceptance criteria)' to 'plugs'

My questions:

  1. Is this expected behavior, even though the personal-files plug explicitly declares write access to this path?
  2. Are there any additional requirements or known restrictions when accessing keyrings or other sensitive user data?
  3. Would it make sense to formally request permission for this personal-files access via the forum, even though the snap is currently only used locally?

Any insights or guidance would be greatly appreciated!