Hello!
I need to execute a few Bash commands from a Go program I’m converting into a Snap. Basically, the program should read-write to ~/.config/gipns using commands such as rm, mv, and git. It doesn’t matter if Snap confines those directories.
It also needs to be able to execute arbitrary Bash commands installed in the user’s $HOME directory, such as ~/go/bin/ipfs. I don’t know in advance if this command will be compiled from source or installed as a snap. It should also be able to read ~/.config/gipns, but write where it normally would if called from Bash.
How can I achieve that?
This will require the personal-files interface, see https://snapcraft.io/docs/personal-files-interface for more details and how to request store approval for usage of this interface.
For these types of commands, are you shipping these commands in the snap? If not, while basic shell utilities like rm and mv you can use what’s in the rootfs from your snap’s base snap (i.e. core or core18), things like git will need to be included in the snap to be usable in your snap.
If you know that all of the programs the user will need will exist in subdirectories of $HOME that are not prefixed with “.” (i.e. nothing that starts with $HOME/.xyz/...) then you should be able to do this with the home interface connected. Note however that all of those programs would need to be smart enough to be executed without the normal rootfs available to them (i.e. they wouldn’t be able to run /usr/bin/git directly, they would need to use $PATH to pickup $SNAP/usr/bin/git).
If however this requirement expands to needing to be able to run any arbitrary program from the user’s $PATH, then this is not currently doable with strict confinement and you would need to request classic confinement, explaining why your application cannot predict the location of the binaries on the user’s system and the application’s need to use the arbitrary binaries from the host filesystem rather than just shipping the binaries in your snap.
This is doable, even for the binaries from $HOME, they will inherit the same confinement as your snap when launched from inside your snap and as such will be able to use this directory provided you use the personal-files interface as described above.
Can you elaborate on this requirement a bit more? What are the expected locations that these tools would normally write to?
