I have snapped ccls as a strict-mode snap but it seems this requires access to the various system headers under
/usr/include to operate correctly. Whilst this can clearly be achieved with a classic snap, this grants far too much authority than is really required - instead I had hoped to be able to use
system-files to grant
/usr/local/include but this doesn’t work either - is classic the only option or can system-files be augmented to support this use-case?
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 2206c36..c7894ae 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -25,12 +25,22 @@ description: | complete. Saving files will incrementally update the index. grade: stable -confinement: classic +confinement: strict license: Apache-2.0 +plugs: + system-headers: + interface: system-files + read: + - /usr/include + - /usr/local/include + apps: ccls: command: ccls + plugs: + - system-headers + - home parts: ccls:
amurray@sec-disco-amd64:~$ snap connections ccls Interface Plug Slot Notes home ccls:home :home - system-files ccls:system-headers - - amurray@sec-disco-amd64:~$ sudo snap connect ccls:system-headers amurray@sec-disco-amd64:~$ snap run --shell ccls amurray@sec-disco-amd64:/home/amurray$ find /usr/include/ /usr/include/ /usr/include/sudo_plugin.h