I’d like to ask for the classic confinement for the snap avdl. It is a compiler for the programming language of the same name. It is meant to be used in a way like the gcc and similar compilers, where the user is passing a filename in the command-line to compile.
I also plan to upload games made with this language, using this snap as dependency, and from what I’ve tried so far, this is only possible with “classic” confinement.
The snap can be found here: https://snapcraft.io/avdl
The first version with “classic” confinement is version 0.0.4-2.
I’m still learning about snaps. Let me know if there’s any alternative option I may have missed. From what I’ve read, compilers are for the most part meant to have this request.
As per the Process for reviewing classic confinement snaps, compilers are a supported use-case for classic confinement, however not all compilers necessarily need classic confinement - if all the files that the compiler consumes are say located within a users project directory then perhaps strict confinement with the home interface may be sufficient. Can you please outline why avdl requires classic confinement, or perhaps another way, what fails if you use strict confinement?
if all the files that the compiler consumes are say located within a users project directory then perhaps strict confinement with the home interface may be sufficient.
This is correct. For a typical use-case, if the user decides to compile files located in their home directory, the avdl compiler will only read the files pass on to the compiler, and create compiled files in the same directory.
Can you please outline why avdl requires classic confinement, or perhaps another way, what fails if you use strict confinement?
I tried to make a snap out of a game that is written in the avdl language, and I used the avdl snap as a dependency. During the process of the snap being created, I got a permission error from avdl. This is when I started reading about the different confinements.
Off the top of my head, I think I remember snaps being compiled in a directory outside the user’s home one, so not sure if strict confinement with the home interface will be enough.
As a side note, the new build with classic confinement was rejected with the message AutomaticallyRejected. Let me know if I need to re-upload it, or follow different steps with a different confinement setup.
Any chance you can do this again while having snappy-debug running? It should provide useful suggestions about which interfaces you need.
If avdl is not requiring access to specific locations in the system for the purpose of compilation (like header files), you should be able to plug other interfaces which can grant access to other locations from the system where users usually operate rather than home and keep under strict confinement. Have you explore personal-files or system-files?
Yeah it will keep failing until we specifically grant it once we agree on requirements for classic confinement being understood.
From what I understand, this has nothing to do with my app specifically. It is not using ssh in any way. It looks like it’s something multipass related?
avdl does not need to access any files except from ones that are part of the avdl package, or files specified by the user (which I’m happy to restrict to the home directory only).
The issue I’m having is that I want to make a new snap package, that contains source code compile-able by avdl. I’m doing that by adding build-snaps: avdl to my snapcraft.yml. Then when I use snapcraft to compile the project, it installs the avdl snap properly, but then it tries to compile the new snap package in /root/parts/my-part/ which avdl has no permission to access.
In case it helps, here’s a sample snapcraft.yml file that I’m trying to make. It’s source link points to a project written in avdl.
name: rue
base: core18
version: '0.0.2'
summary: Summary Text
description: |
This is my-snap's description. You have a paragraph or two to tell the
most important story about your snap. Keep it under 100 words though,
we live in tweetspace and your description wants to look good in the snap
store.
grade: devel # must be 'stable' to release into candidate/stable channels
confinement: devmode # use 'strict' once you have the right plugs and slots
parts:
my-part:
source: https://notabug.org/tomtsagk/rue/archive/v0.0.2.tar.gz
plugin: make
make-parameters: [ 'prefix=' ]
build-snaps:
- avdl
When I try to build this by running the snapcraft command, it installs the avdl snap as expected, but I get this error during compilation:
+ snapcraftctl build
make -j2 prefix=
mkdir -p build/native
mkdir -p build/native/objects
mkdir -p build/native/output/assets
mkdir -p build/native/output
avdl -c src/game.dd -o build/native/objects/game.o -I include/ --install-loc "/share/rue/"
avdl -c src/card.dd -o build/native/objects/card.o -I include/ --install-loc "/share/rue/"
avdl error: Unable to open 'src/game.dd': Permission denied
makefile:66: recipe for target 'build/native/objects/game.o' failed
make: *** [build/native/objects/game.o] Error 255
make: *** Waiting for unfinished jobs....
avdl error: Unable to open 'src/card.dd': Permission denied
makefile:66: recipe for target 'build/native/objects/card.o' failed
make: *** [build/native/objects/card.o] Error 255
Failed to run 'make -j2 prefix=' for 'my-part': Exited with code 2.
Verify that the part is using the correct parameters and try again.
The two lines containing avdl -c src/file.dd are the lines that start compiling the project, and both of them generate shortly after the two avdl error: lines, that they have no permission on those files.
To my understanding, this happens because avdl doesn’t have permissions for /root/parts/my-part/ (where compilation takes place for the new package when I run snapcraft). I’m not sure what’s an optimal confinement to allow this functionality.
I hope this makes sense. Sorry for the wall of text. The snapcraft.yml I provided can be used to reproduce this issue.
Since compilers are a supported use-case for classic confinement and this snap needs permission for various directories I would say that this is a case for it. @Igor could you please proceed with publisher vetting?
