Blender is classic, gimp is strict

What is the rule to assign confinement policies to snaps?

I want to access Images in /data/Docs:

  • i can do it with blender
  • I can’t with gimp…


See the Blender snap post, having Blender strict is actually the goal. Would the removable-media interface work for you, you’d have to move /data/ to /media/ though.

Another solution would be Desktop portals, but GIMP would have to be made aware of portals.

/data is not a standard location so it’s unlikely that there will be an interface for that.

1 Like

@Saviq would storing docs in the home folder also work?

Oh yeah, that’s via the home interface, and that one’s even autoconnected.

A quick workaround is to create a bindmount from /data to ~/data, that will allow you to access the files via $HOME/data/Docs for the time being

yes but it is not desktop user friendly: a standard user should not have to manage mounts like that.

why not allowing an admin to add custom path (and secured , since admin know them) to allowed paths, for any snap, for every user sessions?

A standard user would not manage mount at all IMO and all mounted generic filesystems should be under /media.

why using /media is more secure than using original mounts directly?

I found no posts claiming /media is more secure… :-/ It’s just one of the path defined in the File Hierarchy Standard.

BTW now /mnt is also accessible with the removable-media interface.

A concern is why we don’t support explicitly poking holes in the confinement by the superuser just like Flatpak does.