Classic confinement request: datashare

pirhoo · December 21, 2022, 1:23pm

Hello,

I would like to create a snap for Datashare:

Revision link for review:

https://dashboard.snapcraft.io/snaps/datashare/revisions/4/

Datashare is a self-hosted search engine for documents. It allows user to index documents on their own computer, and perform search over the extracted text and metadata.

Since several years we offer this tools through a .deb and Docker image. We would like to use the classic confinement so users can index documents stored in their homedir (Datashare creates a dedicated directory for that).

Datashare is open source and developed by the International Consortium of Investigative Journalists. It the same technology our organization used to run famous investigations like the Pandora Papers or the Panama Papers.

Cheers,

Pierre

alexmurray · December 30, 2022, 8:38pm

The home interface allows access to files in a users normal homedir - so classic confinement should not be needed.

pirhoo · January 2, 2023, 11:03am

Hello @alexmurray, thanks for the recommendation!

I’m trying to use strict confinement as suggested here:

I noticed the $HOME variable is set to $SNAP_ DATA value. Is that the intended behavior for strict confinement?

My connections:

Interface       Plug                      Slot             Notes
home            datashare:home            :home            -
mount-observe   datashare:mount-observe   :mount-observe   manual
network         datashare:network         :network         -
network-bind    datashare:network-bind    :network-bind    -
system-observe  datashare:system-observe  :system-observe  manual
x11             datashare:x11             :x11

alexmurray · January 3, 2023, 2:51am

Yes - $HOME is set to $SNAP_USER_DATA so that by default all snaps have somewhere they can write to out-of-the-box - but you can still get the user’s real home via the $SNAP_REAL_HOME environment variable, or just by doing something like: getent passwd "$USER" | cut -d ':' -f 6

pirhoo · January 3, 2023, 9:55am

Thanks, $SNAP_REAL_HOME does the trick!

ogra · January 3, 2023, 10:50am

just be aware that on devices where the home interface is not auto-connecting, your app will not have any write access and potentially mis-function (there is indeed a reason why $HOME defaults to $SNAP_USER_DATA and not to *_REAL_HOME)

pirhoo · January 3, 2023, 11:10am

That makes perfect sense. Thanks for the precision!