Wait I take that back. Can we make the interface specifically for status.json? There are tokens in /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/private/ and I don’t believe cvescan needs access to those to determine UA status. +1 to auto-connected read-only access to /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/status.json; tokens would need a bit more justification, I think.
3 votes for, 0 against for use of system-files for read-only access to /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/status.json, with the interface reference of hostfs-var-lib-ubuntu-advantage-status-json.
Granted, this is now live. Note there is a corresponding change to the review-tools that is not in production yet, so uploads will fail automated review until it is. We can manually approve in the meantime.