Hi,
We decided to go with a classic build, because our program doesn’t find devices through a dialog window of scanning. We tried to use plugs like this: cups, network, avahi-observe, mount-observe.
That is nothing you can “decide”, your app needs to fit within one of the “supported” categories of the page below to even be considered for discussion by the reviewers …
Program to create and edit PDF files
I think, you don’t need a classic confinement for that. You can just plug the home interface and some required interfaces that are relevant to your program .
To find required interfaces you can run the snappy-debug command from the snappy-debug snap in a terminal while running your app, there should be suggestions for possible plugs in the output, pick the least powerful of them if thereare multiple …
Alao do not forget that many powerful plugs do not automatically connect, you need to use the snap connect... command after installing the snap to connect them first…
Thank you, I will try to debug. Another question: is there any possibility to make all plugs auto connectable?
Once you know all plugs you can turn this request into one for auto-connection.
depending on the risk level of the interfaces in use they might all get auto-connected, this is up to the reviewers…
Hi! The solution with plug system-files does not work: after installation, the application does not run with a message “read attribute should be a string”. In my .yaml file it looks like this:
plugs:
etc-mpe:
interface: system-files
read:
- /etc
apps: masterpdfeditor5: command: masterpdfeditor5 plugs: - etc-mpe - cups - network - avahi-observe - raw-usb - system-observe - mount-observe - desktop-legacy - desktop - home
Moreover, I have built a new package with strict confinement (what I have done before this release with classic confinement) and I can not publicize it, because of the queue. Is it possible to delete release from revisions list?
Hi @Anna22 .
You can reject or stop the current queue via your dashboard, here the link https://dashboard.snapcraft.io/stores/snaps.
Please, put the content of your *.yaml file in the back ticks (three back ticks to start and three back ticks to close) to make your code more readable,
description: |
Master PDF Editor
grade: stable # must be 'stable' to release into candidate/stable channels
confinement: strict # use 'strict' once you have the right plugs and slots
plugs:
etc-mpe:
interface: system-files
read: - /etc
apps:
masterpdfeditor5:
command: masterpdfeditor5
plugs:
- etc-mpe
- cups
- network
- avahi-observe
- raw-usb
- system-observe
- mount-observe
- desktop-legacy
- desktop
- home
extensions:
- kde-neon
parts:
masterpdfeditor5:
# See 'snapcraft plugins'
plugin: dump
source: master-pdf-editor-5
stage-packages:
- libpkcs11-helper1
....
lint:
ignore:
- classic
- library:
- usr/lib/**
- lib/x86_64-linux-gnu/**
1 Like
Unless I’m mistaken, The global * in a yaml file is not supported.
The section concerning the interface system-files is clean (part of your specification just below) .
plugs:
etc-mpe:
interface: system-files
read: - /etc
apps:
masterpdfeditor5:
command: masterpdfeditor5
plugs:
- etc-mpe
- cups
After building and installing your snap , you must connect the interface in question (that’s to say etc-mpe).
The following command allows to achieve this goal:
snap connect <<your-installed-snap>>:<<your-interface>>
Of course, you could request an auto-connection for the interface in question by opening a topic on it.
It would really help if you showed your complete snapcraft.yaml, not just a cut down snippet of it …
it seems you do not have base: set at all. If you want to build for core22 you indeed need to set this to core22 
plugs:
etc-mpe:
interface: system-files
read:
- /etc
This will not be granted by the reviwers, the name must match the path and making all of /etc readable opens a security hole, if you want to read any existing files in /etc/mpe, you should define exactly this as the path …
Thanks a lot for your help! Our app can create pdf from scanner so i have added sane.d to system files i need to read.
name: master-pdf-editor-5 # you probably want to 'snapcraft register <name>'
base: core22 # the base snap is the execution environment for this snap
version: '5.9.82.2' # just for humans, typically '1.2+git' or '1.3.2'
summary: Master PDF Editor is a full solutions for work with PDF documents # 79 char long summary
description: |
Master PDF Editor
grade: stable # must be 'stable' to release into candidate/stable channels
confinement: strict # use 'strict' once you have the right plugs and slots
plugs:
etc-mpe:
interface: system-files
read:
- /etc/sane.d
apps:
masterpdfeditor5:
command: masterpdfeditor5
plugs:
- etc-mpe
- cups
- network
- avahi-observe
- raw-usb
- system-observe
- mount-observe
- desktop-legacy
- desktop
- home
extensions:
- kde-neon
parts:
masterpdfeditor5:
# See 'snapcraft plugins'
plugin: dump
source: master-pdf-editor-5
stage-packages:
- libpkcs11-helper1
- libsane1
- zlib1g
- libstdc++6
- libqt5svg5
- libqt5printsupport5
- libqt5widgets5
- libqt5gui5
- libqt5qml5
- libqt5network5
- libqt5xml5
- libqt5concurrent5
- libqt5core5a
- libgl1
- libgcc-s1
- libusb-1.0-0
- libxml2
- libpng16-16
- libharfbuzz0b
- libmd4c0
- libgssapi-krb5-2
- libdouble-conversion3
- libicu70
- libicu70
- libpcre2-16-0
- libzstd1
- libglib2.0-0
- libglib2.0-dev
- libglvnd0
- libglx0
- libudev1
- liblzma5
- libfreetype6
- libgraphite2-3
- libkrb5-3
- libk5crypto3
- libcom-err2
- libkrb5support0
- libicu70
- libpcre3
- libx11-6
- libkeyutils1
- libxcb1
- libxau6
- libxdmcp6
- libmd0
- libbsd0
lint:
ignore:
- classic
- library:
- usr/lib/**
- lib/x86_64-linux-gnu/**
1 Like
After connection etc-mpe the error disappeared, but app still does not search devices…
what about the other interfaces, you will most likely need raw-usb connected to find a local scanner …
please check with:
snap connections master-pdf-editor-5
which ones are not connected, connect them manually and test …
All interfaces are connected except cups…
error: snap “snapd” has no “cups” interface slots
Anything interesting in snappy-debug by chance?
Also, are there any other errors when you run the app? I see you are simply using the dump plugin to drop a pre-built binary in place, are you sure it is linked against exactly the library versions you have in stage-packages ? (the linter would tell you if library symbols do not match, you did turn it off in your snapcraft.yaml though)
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/snap/core22/1033/usr/lib/x86_64-linux-gnu/libffi.so.8.1.0" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /snap/core22/1033/usr/lib/x86_64-linux-gnu/libffi.so.8.1.0 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/snap/core22/1033/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /snap/core22/1033/usr/lib/x86_64-linux-gnu/libbz2.so.1.0.4 (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/usr/lib64/" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /usr/lib64/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/usr/lib32/" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /usr/lib32/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/usr/lib64/" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /usr/lib64/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/usr/lib32/" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /usr/lib32/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="open" class="file" profile="snap.master-pdf-editor-5.masterpdfeditor5" name="/usr/lib64/" pid=8190 comm="masterpdfeditor" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
File: /usr/lib64/ (read)
Suggestion:
* adjust program to read necessary files from $SNAP, $SNAP_DATA, $SNAP_COMMON, $SNAP_USER_DATA or $SNAP_USER_COMMON
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.a11y.Bus" pid=8190 label="snap.master-pdf-editor-5.masterpdfeditor5" peer_pid=3672 peer_label="unconfined"
DBus access
= Seccomp =
Time: 2024-02-08T16:1
Log: auid=1001 uid=1001 gid=1001 ses=4 subj=snap.master-pdf-editor-5.masterpdfeditor5 pid=8190 comm="masterpdfeditor" exe="/snap/master-pdf-editor-5/x1/masterpdfeditor5" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f9c0e90a531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-02-08T16:1
Log: auid=1001 uid=1001 gid=1001 ses=4 subj=snap.master-pdf-editor-5.masterpdfeditor5 pid=8190 comm="masterpdfeditor" exe="/snap/master-pdf-editor-5/x1/masterpdfeditor5" sig=0 arch=c000003e 141(setpriority) compat=0 ip=0x7f9c0e98997b code=0x50000
Syscall: setpriority
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional setpriority is often just noise)
= Seccomp =
Time: 2024-02-08T16:1
Log: auid=1001 uid=1001 gid=1001 ses=4 subj=snap.master-pdf-editor-5.masterpdfeditor5 pid=8190 comm="masterpdfeditor" exe="/snap/master-pdf-editor-5/x1/masterpdfeditor5" sig=0 arch=c000003e 203(sched_setaffinity) compat=0 ip=0x7f9c0e90a531 code=0x50000
Syscall: sched_setaffinity
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional sched_setaffinity is often just noise)
= Seccomp =
Time: 2024-02-08T16:1
Log: auid=1001 uid=1001 gid=1001 ses=4 subj=snap.master-pdf-editor-5.masterpdfeditor5 pid=8190 comm="masterpdfeditor" exe="/snap/master-pdf-editor-5/x1/masterpdfeditor5" sig=0 arch=c000003e 141(setpriority) compat=0 ip=0x7f9c0e98997b code=0x50000
Syscall: setpriority
Suggestion:
* ignore the denial if the program otherwise works correctly (unconditional setpriority is often just noise)
= AppArmor =
Time: 2024-02-08T16:1
Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/a11y/bus" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.a11y.Bus" pid=8190 label="snap.master-pdf-editor-5.masterpdfeditor5" peer_pid=3672 peer_label="unconfined"
DBus access