Classic confinement for mosh


#1

The mosh snap needs to be set to classic to allow the user to do ssh-things when connected.

Description and source can be found in the call for testing.


#2

I’ve just checked the mosh store review and the use of classic was approved by @evan on September 29th :slight_smile:


#3

@Wimpress - the request seems to be for https://dashboard.snapcraft.io/dev/snaps/8487 and I don’t see any feedback indicating it was accepted. There is another mosh snap in the store, but it is using devmode.


#4

@msis It would actually be nice to have this one fully confined. It’d mean being able to use it from more distributions and also from Ubuntu Core. Can you provide some details about why the confinement is being an issue there?


#5

No access to ~/.ssh unless you use classic confinement is the cited reason. Not the first time we’ve seen developers use classic for applications requiring access to ssh or gnupg keys.


#6

We can easily introduce interfaces for that. Perhaps ssh-keys and gnupg-keys?

Is there anything else?


#7

A post was split to a new topic: Access to dotfiles from IntelliJ


#8

@niemeyer Those interface names sound sensible to me and are the only two examples of dot directory access that has prevented snap publishers from staying strictly confined.


#9

@jdstrand What do you think of those interfaces? Should we split them up, maybe:

  • private-ssh-keys (gives access to both private and public keys)
  • public-ssh-keys (public only)
  • private-gnupg-keys (private and public keyrings)
  • public-gnupg-keys (public keyring only)

#10

Alternatively, ssh-public-keys, ssh-private-keys, etc, so it sorts properly.


#11

I wonder if this would be better:

  • ssh-public-keys (public only and safe config)
  • ssh-keys (public, private and all config)
  • gpg-public-keys (public only and safe config)
  • gpg-keys (public, private and all config)

I agree that ‘private’ should include private and public and leaving ‘private’ out of the name conveys that better to me.

If you agree to the naming, I can add this to my backlog. I’d like to study typical accesses a little.


#12

In the interest of time, I created https://github.com/snapcore/snapd/pull/4100 so we can discuss how best to proceed.

@msis - I would be curious on your input in that PR. If you want, you can install your snap in strict mode, then adjust /var/lib/snapd/apparmor/profiles/snap.mosh.mosh (or whatever makes sense) with what is in ‘ssh-keys’ in that PR, then load into the kernel with: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.mosh.mosh. Importantly, if you install/refresh/remove/reboot/etc the changes will be overwritten.


#13

This is now committed to master and will be in 2.30.