I’ve recently created a snap (strict confinement) that contains an IDE and gcc. When I compile my source with gcc included with the snap, creating an executable in the user’s home directory, everything is fine and dandy. However, I cannot launch said executable from the IDE within the snap. I’m getting a permission denied, and apparmor is clearly blocking the executable. Is there any way around this, or is this simply a limitation of snaps?
The ‘home’ interface currently only allows read/write, not exec. The fix would be a simple policy change, but I’m not sure it is appropriate for this interface.
@niemeyer - what are your thoughts? It is a transitional interface, and adding ‘ix’ rules would mean that anything the snap executed would inherit the snap’s security policy, so there isn’t a secure concern. That said, there is a potential usability issue when two snaps that plugs home but have otherwise different plugs will find that the same binary in the user’s home behaves differently. Eg, snap ‘foo’ plugs ‘network-observe’, ‘bar’ does not, the user has ~/bin/baz that calls ‘netstat’ which works when called from ‘foo.cmd’ but not ‘bar.cmd’.
@jdstrand It’s definitely not what we had in mind when we created the home interface, but at the same time I cannot see a big reason to forbid it, considering that the snap can always just copy over the binary elsewhere and execute it there instead.
Right, it isn’t a security/access concern, it is a potential usability concern. If you don’t think that is an issue, I’ll adjust the interface. /me takes a todo to do so.
If you mean the difference in permissions, I don’t think it’s an additional issue, in the sense this is already a concern for any confined application anyway. I would say let’s go for it unless someone presents some other ideas here soon.
Will this policy change be implemented or has it already been implemented? Just wondering since the thread seemed to dry up.
This was fixed in master and will be available in the upcoming 2.29 which is available in the beta channel.
That’s great to hear, and I appreciate response! I look forward to distributing a fully-functional snap!