Classic confinement for bcachectl

bcachectl deals with bcache devices. it needs access to various system level dirs, some could be accessed with interfaces/layouts (eg. config files in /etc, and block devices), but there are many that cannot. For example, it makes heavy use of bcache kernel interfaces in /sys/block//bcache (read and write). These are not known in advance since the device name is not known in advance and changes from system to system.

Hey @rafalop, according to Process for reviewing classic confinement snaps, Classic requests should fall under at least one of the supported categories. Could you please clarify if bcachectl fits within any of the supported categories? Thanks.

I cannot see that it fits in any supported category. It is a low level system level tool requiring write access to files in /dev, and also files in /sys that are not known in advance of invoking the tool, so I cannot use the system files interface for this reason.

Although it does not fit in a category that I can see, it does fit the mentioned criteria:

"This lists some criteria that might require classic (non-exhaustive):

  • access to files on the host outside the snap’s runtime (eg, /usr) …"

ie. bcachectl needs access to files on the host outside the snap’s runtime (/dev/, /sys) in order to be able to manage bcache devices.

After having a conversation with the team (@alexmurray), and since the snap does not fits in any supported category for classic confinement, we recommend getting in touch with the snapd team and discuss the issue with them further (e.g. the possibility of solving this issue with a potentially new interface). Thanks.

1 Like

@rafalop hey,

Did you have a chance to discuss this request with the snapd team as suggested?

@emitorino yes, they recommended that I submit a new interface (PR) for snapd. I started working on it but encountered some issues during testing it and haven’t had a chance to finish.

1 Like

@rafalop thanks for the status update. Ping us here if you need anything from the reviewers team.

I will keep this request open in the meantime.


Hey @rafalop ,

Did you make any progress with the interface PR? Thanks!

hello @emitorino , i submitted PR over the weekend. can you help me get it reviewed?

@rafalop apologize for the delay.

I see @alexmurray left some comments and then you also answered… so pinging @alexmurray again to see if he can continue the security review. Also @jslarraz might be able to help :slight_smile: .