In the snapcraft.yaml file for my snap, I specify a list of plugs that I want system interfaces connected. My app builds and runs in both devmode and for strict confinement if I make Apparmor policy updates. (See sample yaml file below)
My understanding is if I specify plug for time-control , I should not be required to provide Apparmor policy updates for accessing resources included by plugged interfaces. However, in order to allow my strictly confined app the ability to update the time clock, I need to apply the following in the Apparmor policy.
.
/usr/bin/timedatectl ixr,
capability sys_time,
What step am I missing? Or is this expected behavior?
Thanks.
========================== yaml sample from here
name: xyz
version: ‘1.0.0.0’
summary: xyz snap
description: |
The xyz app
type: app
grade: stable
confinement: strict
environment:
xyz_home: ${SNAP_DATA}/base/xyz_home
xyz_user_home: ${SNAP_DATA}/base/xyz_user_home
apps:
xyzd-service:
command: bin/xyzd
daemon: forking
stop-command: bin/xyzd /stop
post-stop-command: bin/xyzd /poststop
stop-timeout: 1m
restart-condition: never
plugs:
[home,
time-control,
timeserver-control,
timezone-control,
network-bind,
network-control,
network-setup-control,
process-control,
physical-memory-observe,
system-observe,
log-observe,
mount-observe,
account-control,
accounts-service,
shutdown,
serial-port]
parts:
jre:
plugin: nil
stage:
- jre
prime:
- jre
============================== to here