I run a build script, and subsequent test suite, for QGIS. For certain errors it creates an html document in $TMPDIR and opens that document with the default browser, via XDG.
$TMPDIR is set to ~/.tmp, and I don’t remember changing this, so I believe it is default.
Chromium and Firefox, when installed via snap, don’t have access to ~/.tmp.
I’ve been reading for the last few hours about snap and snap interfaces, and I wonder if I can somehow set up the Chromium snap, such that it has a “connection” (?) to access ~/.tmp? It seems all folders in $HOME that starts with a period are off limits.
I know I can set a different value for $TMPDIR, e.g. ~/tmpdir, but I would prefer not to, for reasons I won’t go into.
I noticed you wrote “right now”, so I wonder if they hope to offer a solution eventually? It seems very restrictive not to be able to open any file saved to tmp, with snap browser, specially now that snap is the default for installing browsers on Ubuntu
You chose a phrase something along “so snaps cant steal data from other application”. The issue is that some of the files that traditional non-snap apps save to /tmp, are meant for other apps to read. Maybe not steal, but indeed read
In my case, a build script writes the test report to /tmp, and the intention is that it can be opened by a browser. Would you say that the authors of the build script have misunderstood the conventions by saving such a file to that location? Or have conventions just changed (at least on Ubuntu) now that Snap has become the default way for installing a browser on Ubuntu?
That’s where the portals come to play I believe. Any app can still open it via portals? Can you kindly give us the scenario to test with? Atleast I could give it some try?
Bind mount another folder, e.g, ~/tmp-link to ~/.tmp, and use the link to it, so AppArmor will not detect the path as a denial.
Override the apparmor profiles to include ~/.tmp by editing the generated profiles in /var/snapd, but this needs to be done every time the browser and underlying snaps update, as this file is regenerated and any edits would be discarded by newer versions.
However in terms of long term proper fixes, there’s currently work going on in snapd’s experimental branches relating to having a GUI appear that would say something like “Firefox is trying to access ~/.tmp, would you like to allow this?” that would perform the AppArmor profile adjustment in a way that would be user friendly and persistent. This might be available in Ubuntu 24.10 and would be the long term fix for this general use case where the portals aren’t able to assist.
/tmp itself wouldn’t likely be covered by the work above (at least yet) because /tmp is on a bind mount itself, so the folders literally are not there to access via the normal path; AppArmor isn’t blocking those, /tmp is simply not the same folder in the host as it is the confined snap, whereas /home is.
