- name: mgccli
- description: Magalu Cloud command line interface
- snapcraft: we can’t provide the yaml, because we use Goreleaser to publish snaps: goreleaser_internal.yaml
- upstream: Github - MagaluCloud/magalu
- upstream-relation: admin
- supported-category: public cloud agents
- reasoning: strict confinement doesn’t allow all our S3-compatible functions to work.
I understand that strict confinement is generally preferred over classic.
I’ve tried the existing interfaces to make the snap to work under strict confinement.
Hey @geffersonFerraz
Could you please explain what is mgccli expected functionality and what are the errors you found while running the snap with strict confinement?
Thanks
Hi @jslarraz
Magalu Cloud is the first public cloud in Brazil. And this is our CLI.
As is common with cloud companies, we also provide storage services (s3-compatible services), and with that, we need access to users’ files, both for reading and writing.
I tested the snap with strict confinement, and as expected according to the documentation, I couldn’t perform any upload or download operations from a bucket.
Therefore, I’m requesting classic mode for our snap.
Hey @geffersonFerraz
Sorry for the long delay in my response. I think that network interface should be enough to accomplish the described upload and/or download operations.
Could you please share the related apparmor denials that you observe when running your application?
Thanks
Hello @jslarraz
I made the changes you suggested:
I kept only interfaces that have automatic approval:
With this, I generated version mgccli 0.37.0-rc1 (rev 16).
As we can see in the commands below, when executing my application I receive a “permission denied”, this would be when reading the content of a simple text file.
➜ pwd
/home/gfz/s3-test-magalu
➜ ls
teste.txt
➜ mgccli.mgc object-storage objects upload --dst="snaptest" --src="teste.txt"
Error: error reading file: open teste.txt: permission denied
➜ mgccli.mgc object-storage objects upload --dst="snaptest" --src="/home/gfz/s3-test-magalu/teste.txt"
Error: error reading file: open /home/gfz/s3-test-magalu/teste.txt: permission denied
I’m waiting for more help with the issue, or the granting of permission to use ‘classic’ confinement. Thank you very much.
Hey @geffersonFerraz
This permission denied error is caused because of the home interface is not connected. Could you please add the home interface (which also auto-connects) and give it a try?
Thanks
Hello @jslarraz,
Thank you so much for your attention and help. We were able to perform the file upload/download operation using our CLI.
Thanks again.
Hey @geffersonFerraz
Great! ^^
I think that desktop and browser-support interfaces are probably not needed either. So maybe you can try to also remove them if want to reduce the attack surface 
Thanks
Hi @jslarraz
Thank you for the suggestion
About the desktop and browser-support interfaces - they are actually necessary because our CLI has an authentication flow that depends on the browser.
Here’s our flow: user > $ mgc auth login > initiates an http listen > launches browser with login URL > returns the response to the http listener
I tested removing just the desktop interface, and that was enough to break our authentication flow.
Can we continue this way?
Thanks.
Oh good point. You are right desktop interface is needed to launch the browser.
Unless I’m missing something else browser-support should not needed for that workflow in case you still want to give it a try. This is just a suggestion to improve the overall security posture (what I think benefits everyone ^^) but you are ok to continue either way
You are right.
I removed the browser-support and our auth flow still worked correctly. 
Thanks
