Alow access to filesystem and network under strict confinement

atcli · May 8, 2021, 9:20pm

Hi guys

We’ve a pre-built command line tool (called atcli) which aims to transfer files/directory to remote locations.
For that purpose, “atcli” needs access to filesystem + network.
Is this sufficient:

$ cat snapcraft.yaml
name: atcli
version: 1.0.1
summary: Cross-Platform Managed File Transfer Service
description: |
ATCli allows securely transfer large files and directory at speed of light

confinement: devmode
base: core18

grade: stable
confinement: strict

plugs:
config-atcli:
interface: system-files
read:
- /
write:
- /

[…]

apps:
atcli:
command: atcli

Help appreciated.

Thanks
John

atcli · May 8, 2021, 10:44pm

My pre-built tool is “Proprietary”. Is there any chance to use:
confinement: classic

and expect it to be accepted?

/John

atcli · May 9, 2021, 10:03am

While waiting for an answer, i tried these new settings:

confinement: strict

plugs:
  home:
  network:
  network-bind:
  removable-media:
  system-files-atcli:
    interface: system-files
    read: [/mnt,/etc,/var,/var/lib/snapd/hostfs/opt]
    write: [/mnt,/etc,/var,/var/lib/snapd/hostfs/opt]

apps:
  atcli:
    command: atcli
    plugs: [home,network,network-bind,removable-media,system-files-atcli]

But something’s broken somehow.

My command is able to access /var/log/clamav/clamav.log but unable to access /var/lib/xml-core/docbook-xml. Permissions to these files are the same and they are both under /var directory.

Why?

atcli · May 9, 2021, 10:06am

What are the correct settings to be able to read/write anything under these directories:

/mnt
/etc
/var
/opt