Consider a snap foo with two applications and a daemon
- a privileged app with (for example) timezone control plug
- an unprivileged app without the plug
- a daemon
Target deployment is a headless embedded device. The unprivileged app is invoked and managed by the daemon. Both daemon and unprivileged application can be accessed over network, so its important to restrict what the unprivileged app can do.
apps:
privapp:
command: bin/privapp
plugs:
- timezone-control
unprivapp:
command: bin/unprivapp
(no plugs)
privdaemon:
command: bin/privdaemon
daemon: simple
plugs:
- timezone-control
From command line, foo.privapp can access timezone, foo.unprivapp cannot, as expected. Daemon can access timezone too.
Now consider case where the privileged daemon needs to invoke the unprivileged app, but does not want the unprivileged app to inherit the timezone-control plug.
If the daemon invokes $SNAP/bin/unprivapp directly, the unprivapp can access timezone.
It doesn’t appear daemon can invoke “foo.unprivapp” - per Executing a snap from within a snap package and other threads linked to that topic. This use case is a little different since “foo.unprivapp” is within the same snap.
Is it possible for daemon to invoke the unprivapp such that it won’t inherit these capabilities?