How to handle input files in strict confinement

Hey everyone,

We recently added the capability to specify custom config files as cli arguments in to the UBports Installer. Nothing special, the user would just run something like my-cool-snap -i ./path/to/file and the snap would read it. This of course will not work in strict confinement. I guess one way around it would be to use the home plug, but that gives the snap way more permissions than it actually needs. I can’t imagine i’m the only one with this usecase, but i could not find anything about it. Excuse my naive question, but would it be possible to only grant the snap permissions to read (or also write, as that might be useful for some others usecases) to paths specified when launching the snap?

We put in some hours to get the Installer to work with strict confinement, so i really don’t want to go back to classic. Worst case we’ll just disable the input file option for the snap, as it’s mostly needed for developers.

couldn’t you just add a path check inside your app ?

Is this a graphical application? Could you use the desktop portal here?

Instead of my-cool-snap -i /path/to/file, the user could do my-cool-snap < /path/to/file, and that should work.

In addition to the other’s suggestions, you could plugs the home interface but request that it not be auto-connected. Then users can use paths available to the snap by default and snap connect home if they want to grant more access.

Thanks for your suggestions. After some testing, i actually think it’s ok to go with home for now.