Classic confinement request: cidea

flotter123 · February 17, 2026, 10:27am

name: cidea
description: C/C# code generator/development for the Cubespace software ecosystem
snapcraft: PRIVATE
upstream: PRIVATE
upstream-relation: PRIVATE
supported-category: compilers
reasoning: technical reasons for why the existing interfaces are not sufficient for the snap to work under strict confinement.

X I understand that strict confinement is generally preferred over classic.

X I’ve tried the existing interfaces to make the snap to work under strict confinement.

Note that snappy-debug can be used to identify possible required interfaces. See https://snapcraft.io/docs/debug-snaps for more information.

I am using .NET framework and ran into issues. I would like to start as classic and migrate to strict. I am running into issues running the confined snap without sudo.

flotter@flotter-laptop:~/sofia/tools/cidea$ cidea --help /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-413d3af2-81e2-42be-b901-d8df7e364ee0.scope is not a snap cgroup for tag snap.cidea.cidea flotter@flotter-laptop:~/sofia/tools/cidea$ sudo cidea --help command line usage: –version, -v : outputs version information –verbose : outputs information to stdout –generate , -g : generate from autogen config file –verify-all -a : verify all nodedefs –output-dir , -o : specify autogen output directory –nodedef-dir ,-d : specify nodedef directory (default: nodedefs)

store-requests-bot · February 17, 2026, 10:28am

This request has been added to the queue for review by the @reviewers team.

flotter123 · February 17, 2026, 12:08pm

name: cidea
base: core24
version: '5.0.8'
summary: Code generation tool for XML to C/C# conversion
description: |
  CIDEA is a code generation tool that consumes XML definitions and generates
  versioned interface definition code used for communicating with ADCS nodes.

grade: stable
confinement: classic # To be migrated to strict eventually

lint:
  ignore:
    - metadata
    - library:
      # Unused warning, but needs to be here for dlopen.
      - libbrotlidec.so.1
      - libbrotlienc.so.1
      - libicutest.so.74
      - libicuio.so.74
      - liblttng-ust-ctl.so.5
      - liblttng-ust-cyg-profile-fast.so.1
      - liblttng-ust-cyg-profile.so.1
      - liblttng-ust-dl.so.1
      - liblttng-ust-fd.so.1
      - liblttng-ust-fork.so.1
      - liblttng-ust-libc-wrapper.so.1
      - liblttng-ust-pthread-wrapper.so.1
      - libssl.so.3
      - libunwind-coredump.so.0
      - libunwind-ptrace.so.0
      - libunwind-x86_64.so.8

platforms:
  arm64:
  amd64:

apps:
  cidea:
    command: cidea
    environment:
      # Use the .NET 10 variable name
      DOTNET_ICU_VERSION_OVERRIDE: "74"
      LD_LIBRARY_PATH: $SNAP/usr/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR:$SNAP/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR:$LD_LIBRARY_PATH

parts:
  libs:
    plugin: nil
    stage-packages:
      - libicu74
      - libunwind8
      - libssl3t64
      - liblttng-ust1t64
      - libbrotli1
    build-attributes:
      - enable-patchelf
    override-build: |
      craftctl default
      LIB_DIR="usr/lib/$CRAFT_ARCH_TRIPLET_BUILD_FOR"
      cd "$CRAFT_PART_INSTALL/$LIB_DIR"
      ln -sf liblttng-ust.so.1 liblttng-ust.so.0

  cidea:
    after: [libs]
    plugin: dotnet
    source: .
    dotnet-self-contained: true
    dotnet-properties:
      UseAppHost: "true"
      InvariantGlobalization: "false"
      TargetFramework: "net10.0"
      DebugType: "none"
      DebugSymbols: "false"
      CopyOutputSymbolsToPublishDirectory: "false"
    dotnet-version: "10.0"
    permissions:
      - path: cidea
        mode: "755"
    build-attributes:
      - enable-patchelf

yomonokio · February 17, 2026, 4:02pm

Classic confinement is not intended as an intermediate step for migrating to strict confinement (#reject). To help us understand the blockers, could you please provide more details on the technical issues you encountered?

Regarding the error you shared, the message is not a snap cgroup, does cidea require root privileges to function?

flotter123 · February 17, 2026, 4:04pm

Thank you for your help. No it does not, just access to source repositories paths under the current user.

Without running it with root, that is when I get the croup error. I am running 24.04.

flotter123 · February 17, 2026, 4:38pm

flotter@flotter-laptop:~$ SNAPD_DEBUG=1 snap run gse-app-cli --help
2026/02/17 18:36:28.207760 tool_linux.go:94: DEBUG: snap (at "/snap/snapd/current") is older ("2.73") than distribution package ("2.73+ubuntu24.04")
2026/02/17 18:36:28.208185 logger.go:289: DEBUG: -- snap startup {"stage":"start", "time":"1771346188.208183"}
2026/02/17 18:36:28.208363 apparmor.go:945: DEBUG: checking distro apparmor_parser at /usr/sbin/apparmor_parser
2026/02/17 18:36:28.208370 apparmor.go:954: DEBUG: apparmor 4.0 ABI detected but ignored
2026/02/17 18:36:28.211389 cmd_run.go:1575: DEBUG: executing snap-confine from /usr/lib/snapd/snap-confine
2026/02/17 18:36:28.211850 cmd_run.go:523: DEBUG: SELinux not enabled
2026/02/17 18:36:28.211941 tracking.go:48: DEBUG: creating transient scope snap.gse-app-cli.gse-app-cli
2026/02/17 18:36:28.212846 tracking.go:217: DEBUG: using session bus
2026/02/17 18:36:28.214913 tracking.go:325: DEBUG: StartTransientUnit failed with "org.freedesktop.DBus.Error.Spawn.ChildExited": [Process org.freedesktop.systemd1 exited with status 1]
2026/02/17 18:36:28.215157 cmd_run.go:1811: DEBUG: snapd cannot track the started application
2026/02/17 18:36:28.215168 cmd_run.go:1812: DEBUG: snap refreshes will not be postponed by this process
2026/02/17 18:36:28.215182 logger.go:289: DEBUG: -- snap startup {"stage":"snap to snap-confine", "time":"1771346188.215181"}
DEBUG: -- snap startup {"stage":"snap-confine enter", "time":"1771346188.216902"}
DEBUG: caps at startup: cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
DEBUG: ruid: 1000, euid: 1000, suid: 1000
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: initial caps: cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
DEBUG: after setting privileged caps: cap_chown,cap_dac_override,cap_sys_admin=eip cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace+ep
DEBUG: snap-confine found at /proc/1/root/usr/lib/snapd/snap-confine
DEBUG: host snap-confine is owned by root
DEBUG: SNAP_MOUNT_DIR (probed): /snap
DEBUG: security tag: snap.gse-app-cli.gse-app-cli
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core24
DEBUG: umask reset, old umask was   02
DEBUG: -- snap startup {"stage":"snap-confine mount namespace start", "time":"1771346188.217297"}
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: opening lock file: /run/snapd/lock/gse-app-cli.lock
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope gse-app-cli, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: gse-app-cli
DEBUG: setting up device cgroup, mode "required"
DEBUG: libudev has current tags support
DEBUG: bpf fs tag: snap_gse-app-cli_gse-app-cli, object names: s_gse_app_cli_g
DEBUG: get bpf object at path /sys/fs/bpf/snap/snap_gse-app-cli_gse-app-cli
DEBUG: found existing device map
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: found 23 existing entries in devices map
DEBUG: delete key for c 195:255
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:1
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:2
DEBUG: delete elem in map 8
DEBUG: delete key for c 195:254
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:9
DEBUG: delete elem in map 8
DEBUG: delete key for c 10:242
DEBUG: delete elem in map 8
DEBUG: delete key for c 10:200
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:0
DEBUG: delete elem in map 8
DEBUG: delete key for c 140:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 506:0
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:3
DEBUG: delete elem in map 8
DEBUG: delete key for c 141:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 10:239
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:8
DEBUG: delete elem in map 8
DEBUG: delete key for c 143:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:5
DEBUG: delete elem in map 8
DEBUG: delete key for c 139:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 195:0
DEBUG: delete elem in map 8
DEBUG: delete key for c 142:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 137:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:7
DEBUG: delete elem in map 8
DEBUG: delete key for c 138:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 136:-1
DEBUG: delete elem in map 8
DEBUG: load program of type 0xf, 33 instructions, name s_gse_app_cli_g
DEBUG: v2 allow c 1:3
DEBUG: v2 allow c 1:5
DEBUG: v2 allow c 1:7
DEBUG: v2 allow c 1:8
DEBUG: v2 allow c 1:9
DEBUG: v2 allow c 5:0
DEBUG: v2 allow c 5:1
DEBUG: v2 allow c 5:2
DEBUG: v2 allow c 136:4294967295
DEBUG: v2 allow c 137:4294967295
DEBUG: v2 allow c 138:4294967295
DEBUG: v2 allow c 139:4294967295
DEBUG: v2 allow c 140:4294967295
DEBUG: v2 allow c 141:4294967295
DEBUG: v2 allow c 142:4294967295
DEBUG: v2 allow c 143:4294967295
DEBUG: v2 allow c 195:0
DEBUG: v2 allow c 195:255
DEBUG: v2 allow c 506:0
DEBUG: v2 allow c 195:254
DEBUG: v2 allow c 10:239
DEBUG: v2 allow c 10:200
DEBUG: device /sys/devices/virtual/misc/rfkill has matching current tag
DEBUG: inspecting type of device: /dev/rfkill
DEBUG: v2 allow c 10:242
DEBUG: device /sys/devices/virtual/misc/tun has matching current tag
DEBUG: inspecting type of device: /dev/net/tun
DEBUG: v2 allow c 10:200
DEBUG: process in cgroup /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-be88336e-28fc-40c4-a515-539b98299be7.scope
/user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-be88336e-28fc-40c4-a515-539b98299be7.scope is not a snap cgroup for tag snap.gse-app-cli.gse-app-cli

I the exactly the same issue with the obs-studio snap.