Classic confinement for ubuntu-package-manifest snap

I request permission to release ubuntu-package-manifest as a classic snap.

This is a simple utility to generate package version manifests like and will be used in conjunction with .

It is not possible to achieve this as a strict snap as I can’t see any interface that would allow for listing currently installed deb packages and snap packages.

You can see the simple script being used @ in the snap to generate the manifests.

have you taken a look at the system-files interface, i imagine having read access to /var/lib/dpkg and shipping the dpkg/dpkg-query binaries inside the snap might work with strict confinement …


Interesting. I will try


Thanks @ogra I tried but I was not successful

    interface: system-files
    - /var/lib/dpkg/status

But I just get

dpkg-query: error: failed to open package info file '/var/lib/dpkg/status' for reading: No such file or directory

errors. See for full snapcraft.yaml.

I connected the system-files interface using snap connect ubuntu-package-manifest:dpkg-data

Have I missed something obvious?

this should be enough, did you try to use the toplevel dir instead of just the status file (i.e. /var/lib/dpkg)

I did. Same issue unfortunately.

You should be able to see the system package database as /var/lib/snapd/hostfs/var/lib/dpkg/status. Running dpkg --root /var/lib/snapd/hostfs ... would likely be enough to get a listing.


alternatively a layout might work too, so you do not need to change your source.

Thank you both.

I tried

dpkg-query --show --admindir=/var/lib/snapd/hostfs/var/lib/dpkg


snap run --shell ubuntu-package-manifest

but I get a permissions error

dpkg-query: error: failed to open package info file '/var/lib/snapd/hostfs/var/lib/dpkg/status' for reading: Permission denied

I also tried to use a layout:

    bind-file: $SNAP/var/lib/dpkg

But I am then unable to install the snap

$ sudo snap install --dangerous ./ubuntu-package-manifest_0.1_amd64.snap 
error: cannot perform the following tasks:
- Setup snap "ubuntu-package-manifest" (unset) security profiles (cannot update mount namespace of snap "ubuntu-package-manifest": cannot update preserved namespace of snap "ubuntu-package-manifest": cannot update snap namespace: cannot use "/snap/ubuntu-package-manifest/x16/var/lib/dpkg" as bind-mount source: not a regular file)

you want bind: or symlink: the bind-file: literally tries to bind mount the dir to a file …

1 Like

Thank you both again.

Based on your advice I looked in toe layouts and also hostfs and found the which works great for reading dpkg data.

See for the required changes.

I’m not looking in to if this is possible for snaps too using a similar approach. Are you aware of a way to do this? Unfortunately snap list does not accept any argument or option like dpkg-query does with --admindir.

Also, is it possible to request auto connect for the system-backup interface?

I have a potential solution for listing snaps using /var/lib/snapd/hostfs/ - see

I have created a new topic @ Reading tracking information of host installed snaps from another snap to try figure out how to read all info for each snap.

Even if I proceed as-is, is it possible to request auto connect for the system-backup interface for the ubuntu-package-manifest strict snap?

all your local snap information should be in /var/lib/snapd/state.json

to properly get the track info you’d rather use the snapd API through the snapd-control interface, but this will prevent you from uploading your snap to the global store since this interface is pretty exclusively reserved for brand stores (it allows completely owning the device after all)

1 Like

Brilliant. Thank you.