system (“snap connections”);
system(“snap get core watchdog”);
system (“getent group”);
Snap works in devmode but not in strict mode.
I learnt that I need to use snap-control interface along with REST API with curl to talk to snapd. I have added the sanpd-control plug but I know nothing about REST API.
If you have the snapd-control interface connected, then those snap subcommands should work within confinement. It uses the same REST API as anything else would. If you are interested in the details of the REST API though, the following is a good place to start:
One thing to add though: it is unlikely that you will be able to publish a snap using snapd-control to the main Snap Store. A snap with this interface can install and remove arbitrary snaps, connect interfaces that would be disconnected by default, change confinement options, etc. Connecting snapd-control punches a huge hole in the strict confinement sandbox, so it’s use is strictly controlled.
Perhaps it would be best to start by describing what you want to do at a high level?
It looks like the AppArmor policies block access to the /usr/bin/snap binary, but if you shipped a copy of it in your snap, it would likely work when snapd-control is connected.
As you’re using C, another option would be to use the snapd-glib library, which will probably be simpler than working from scratch.
Just for being sure again, are you suggesting that I can achieve same things with sanpd-glib as compared to REST API / curl combination (if I need snapd access only in .c files)?
If yes, then:
Q1. I will have to create a content interface to make use of the API’s exported by snapd-glib in .h file. Right?
Q2. Do you know of any existing snap project making use of snapd-glib. I searched in github but couldn’t find one.
Finally, what about the script that I mentioned above? Just having snapd-control interface in plugs of app in the snap is enough?
You would need to include a copy of the snapd-glib library within your snap. You could achieve this by adding libsnapd-glib1 to stage-packages in your project (and probably put libsnapd-glib-dev in build-packages to get its headers).
The library itself doesn’t grant you any extra permissions: it simply makes it easier for you to use the REST API from a C program. It is the snapd-control interface that grants you permission to communicate with snapd.
The confusingly worded “adjust snap to ship ‘snap’” message is suggesting you include a copy of the /usr/bin/snap binary within your snap and call your copy of binary instead.
If you replace the /usr/bin/snap calls with snapd-glib API calls, this denial should go away without doing that.
For the useradd/groupadd denials, I doubt you’ll be able to get those tools running from within the snap sandbox. There are other options though:
use snapd’s create-user API.
add an appropriately signed system-user assertion to the system (also possible via the API).
I do wonder if some of this system configuration would be better handled through the gadget snap for your device though.