Hi!
Is it possible to confine a CLI snap to the current working directory of the terminal? Like, so that the snap has access to the files in the directory you’re currently running the application in.
Thanks!
The sandbox uses a combination of both traditional UNIX permissions (DAC) and AppArmor policy (MAC). The default sandbox policy (ie, with no interfaces connected) allows access to the snap’s installed files in $SNAP, the writable files in $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA and $SNAP_USER_COMMON, as well as a few files from the host that are deemed safe for every snap to have access that are needed for normal and expected operation.
Outside of snapd, it is possible to handcraft security policy that could achieve something along the lines of what you are asking for, but the snapd policy is designed to allow applications within the snap to freely interact with each other using, in part, the aforementioned directories.
Because of DAC, you could have the cli command not ‘plugs’ anything while having your snap saving files in SNAP_DATA and SNAP_COMMON without ‘other’ permissions, which would limit writes to SNAP_USER_DATA and SNAP_USER_COMMON (and reads to those allowed by the template). If this doesn’t fit your needs, you could perhaps redesign your application to perhaps use privilege separation, a seccomp filter, etc to limit what the security-hardened code can do.
i read this question more like:
“how can i get $PWD at startup of my app” (and actually run in that dir) …
i assume it is not a problem to cd to $PWD at app startup if you have the home interface connected and $PWD is actually a non hidden dir under $HOME …
yet, i don’t think there is a way from inside a snap to actually find out what $PWD was before you entered confinement.
@ogra is correct here, sorry for being unclear. I would like my application to have access to the files in the directory were it’s called from in the terminal, the $PWD of the “terminal”. Would I have to use classic confinement?
$PWD should be exposed correctly, if all you’re after is the current working directory path, without requiring that it be accessible:
dllewellyn@defiant:~$ snap run --shell hello-world
dllewellyn@defiant:/home/dllewellyn$ echo $PWD
/home/dllewellyn
dllewellyn@defiant:/home/dllewellyn$
and, no, that doesn’t mean a snap always goes to $HOME:
dllewellyn@defiant:~/test$ snap run --shell hello-world
dllewellyn@defiant:/home/dllewellyn/test$ echo $PWD
/home/dllewellyn/test
dllewellyn@defiant:/home/dllewellyn/test$
Ah, I noticed I had access to list the files. I also need to actually read/write to files within the directory (and sub-directories). Would this require the classic confinement?