How to handle input files in strict confinement

NeoTheThird · October 24, 2019, 8:59am

Hey everyone,

We recently added the capability to specify custom config files as cli arguments in to the UBports Installer. Nothing special, the user would just run something like my-cool-snap -i ./path/to/file and the snap would read it. This of course will not work in strict confinement. I guess one way around it would be to use the home plug, but that gives the snap way more permissions than it actually needs. I can’t imagine i’m the only one with this usecase, but i could not find anything about it. Excuse my naive question, but would it be possible to only grant the snap permissions to read (or also write, as that might be useful for some others usecases) to paths specified when launching the snap?

We put in some hours to get the Installer to work with strict confinement, so i really don’t want to go back to classic. Worst case we’ll just disable the input file option for the snap, as it’s mostly needed for developers.

ogra · October 24, 2019, 9:40am

couldn’t you just add a path check inside your app ?

ijohnson · October 24, 2019, 3:39pm

Is this a graphical application? Could you use the desktop portal here?

chipaca · October 24, 2019, 4:23pm

Instead of my-cool-snap -i /path/to/file, the user could do my-cool-snap < /path/to/file, and that should work.

jdstrand · October 24, 2019, 7:54pm

In addition to the other’s suggestions, you could plugs the home interface but request that it not be auto-connected. Then users can use paths available to the snap by default and snap connect home if they want to grant more access.

NeoTheThird · October 26, 2019, 11:27am

Thanks for your suggestions. After some testing, i actually think it’s ok to go with home for now.