Hello,
- name: cargo-audit
- description: Audit Cargo.lock and Rust binaries for crates with security vulnerabilities.
- snapcraft: cargo-audit-snap/snapcraft.yaml at main · canonical/cargo-audit-snap · GitHub
- upstream: rustsec/cargo-audit at main · rustsec/rustsec · GitHub
- upstream-relation: No relation
- supported-category: Debug tools
- reasoning: Cargo-audit scans a Rust project directory, or a Rust binary, for dependency metadata (then cross-references it against a database of vulns). It’s reasonable that a user might want to run this on any binary on their system – for example, I aim to include this metadata one day in rust-coreutils binaries, and curious users may want to scan those binaries.
I understand that strict confinement is generally preferred over classic.
I’ve tried the existing interfaces to make the snap to work under strict confinement.
NB: if there was an interface to access the whole filesystem as read-only, I would use that. If there is such an interface and I missed it please tell me!
This request has been added to the queue for review by the @reviewers team.
Hello @petrakat !
A key step in the classic granting process is Publisher Vetting. To successfully vet a publisher, we need to verify their connection to the upstream. Since you’re not currently part of the upstream, could you clarify whether the upstream is willing to adopt the snap, or if they are open to having you, as the snap publisher, join the upstream (if you’re willing to do so) (#askForInfo)?
Also, providing full filesystem access would violate Snap confinement, therefore, no read-only interface for the entire root is available.
You’d have to make the app perform lookups relative to /var/lib/snapd/hostfs but otherwise that’s read only access to the vast majority of the host filesystem.
That interface isn’t super-privileged which means you can declare it and have users manually connect it in the worst case scenario without it being blocked on upload. (e.g., perhaps its valid to have home autoconnect, and rely on system-backup to be done by users manually). From inside your own app you’d be able to check if you had the permissions by executing snapctl is-connected system-backup and react appropriately.
Hello, do you have an update on this?
