How to "drop" plug permissions?

Consider a snap foo with two applications and a daemon

  • a privileged app with (for example) timezone control plug
  • an unprivileged app without the plug
  • a daemon

Target deployment is a headless embedded device. The unprivileged app is invoked and managed by the daemon. Both daemon and unprivileged application can be accessed over network, so its important to restrict what the unprivileged app can do.

    command: bin/privapp
      - timezone-control

    command: bin/unprivapp
    (no plugs)

    command: bin/privdaemon
    daemon: simple
      - timezone-control

From command line, foo.privapp can access timezone, foo.unprivapp cannot, as expected. Daemon can access timezone too.

Now consider case where the privileged daemon needs to invoke the unprivileged app, but does not want the unprivileged app to inherit the timezone-control plug.

If the daemon invokes $SNAP/bin/unprivapp directly, the unprivapp can access timezone.

It doesn’t appear daemon can invoke “foo.unprivapp” - per Executing a snap from within a snap package and other threads linked to that topic. This use case is a little different since “foo.unprivapp” is within the same snap.

Is it possible for daemon to invoke the unprivapp such that it won’t inherit these capabilities?

you could create a dbus listener for the unprivileged app and trigger its launch via dbus from the daemon app …

This is not really supported by snapd today unfortunately