I’m not exactly sure how to make a case for change here. My snap is using openscap to compare versions of deb packages installed on the host system with versions that have been patched to fix CVEs. In order to do this it needs read access to some places under hostfs. I’ve configured the read access with system-files plugs. I’ve tried to do this in a way that makes sense, but I’m more than happy to change things if there is a better way to do this.
@morlino - typically you paste your use of system-files and describe why you need the access. Looking in the store, I see cvescan is using:
plugs:
apt-dpkg-db:
interface: system-files
read:
- /var/lib/snapd/hostfs/var/lib/dpkg
- /var/lib/snapd/hostfs/var/cache/apt
- /etc/lsb-release
- /etc/apt
- /etc/dpkg
The interface reference and read-only access of hostfs and /etc make sense for this snap and what it needs to do. /etc/lsb-release is already in the default template and can be omitted.
+1 for use of and auto-connection of system-files using the above (after removing /etc/lsb-release).
@reviewers - can others please vote on this?
Same here, +1 for use and auto-connection of system-files as above.
+1 from me too - it is a shame to gave to access this via hostfs with system-files but that is the best hammer we have for this problem at this stage.
Thanks.
I uploaded a new version without /etc/lsb-release in the plug
1 Like
3 votes for, 0 against for use of and auto-connect of system-files for read access to dpkg and apt databases and configuration with the apt-dpkg-db interface reference. Granting. This is now live.