Hi!
I have built a snap for pebble
(https://github.com/canonical/pebble). Looking at the guidelines, I believe Pebble falls into the Supported categories, mainly due to:
- the dynamic Pebble data and socket paths ($PEBBLE and $PEBBLE_SOCKET), which default to, respectively,
/var/lib/pebble/default
and/var/lib/pebble/default/.pebble.socket
- the user-defined Pebble layers go into
${PEBBLE}/layers
- the user-defined Pebble layers go into
- Pebble services will call out to executables that might be located anywhere in the host filesystem
- Pebble also offers
exec
capabilities
While I guess system-file
could be used to enable strict confinement for this Snap, I’m afraid it would constrain quite a bit the user experience.
Refs: