The new version of cvescan attempts to determine the system’s ubuntu-advantage status by reading /var/lib/ubuntu-advantage/status.json from hostfs.
A new plug was created for this that we would like to autoconnect.
ua-status:
interface: system-files
read:
- /var/lib/snapd/hostfs/var/lib/ubuntu-advantage
It makes sense for cvescan to require read-only access to this file. Can you adjust your plugs to have this:
plugs:
hostfs-var-lib-ubuntu-advantage:
interface: system-files
read:
- /var/lib/snapd/hostfs/var/lib/ubuntu-advantage
with that change, +1 for use of and auto-connect for system-files in this manner.
+1 for the auto-connection of system-files providing read-only access to update: see below./var/lib/snapd/hostfs/var/lib/ubuntu-advantage
Wait I take that back. Can we make the interface specifically for status.json? There are tokens in /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/private/ and I don’t believe cvescan needs access to those to determine UA status. +1 to auto-connected read-only access to /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/status.json; tokens would need a bit more justification, I think.
@kyrofa - oh, yes, nice observation (I looked at status.json for secret stuff but didn’t see private/). I’m +1 if this is changed to:
plugs:
hostfs-var-lib-ubuntu-advantage-status-json:
interface: system-files
read:
- /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/status.json
otherwise, can you please provide more justification?
Thanks for the feedback! Those suggestions are great, only status.json is needed. I’ll make the changes as recommended.
3 votes for, 0 against for use of system-files for read-only access to /var/lib/snapd/hostfs/var/lib/ubuntu-advantage/status.json, with the interface reference of hostfs-var-lib-ubuntu-advantage-status-json.
Granted, this is now live. Note there is a corresponding change to the review-tools that is not in production yet, so uploads will fail automated review until it is. We can manually approve in the meantime.