Migrating cybersecurity program and dependencies to snap

Hello, I’m new to the snap community. I’ve been working on an RUST-based cybersecurity tool called MaidRunner that offers native features like file entropy analysis, malware signature detection, and automation for some existing tools. After reading the snap documentation several times, I realized that packing and publishing this application as a snap requires some path changes (this application uses /var/maid/maid_list). And this app apparently has to be a “classic” snap, could it still be released in the Snap Store? if not, snap is open source, how does the pipeline for building and share snaps function outside of the Canonical backend? thanks.



Things are preferred to be strict rather than classic where strict has potential to cover a usecase. This isn’t just because we want everything to be nice and secure (we do though), but because classic confinement runs in the host namespace and this introduces classic-specific issues such as mixing up packages with the host that aren’t ABI compatible.

For /var/maid/maid_list, I’d imagine you could use the System Files interface. This would be able to give your strict snap view into the folder. When distributing this on Snapcraft, using system-files would trigger a security review, but it’s significantly easier to pass this review than a classic-confinement review.

(Note, this interface doesn’t autoconnect, so if you’re trying it for testing, be sure to run snap connect appropriately).

could it still be released in the Snap Store?

Snaps can be installed without store approval by just installing them with the --dangerous flag, same as they would be installed for testing prior to publication. If strict, you might need to also run some snap connect commands afterwards to configure the permissions. If classic, you’d not need anything other than the installation.

Building the snap is the same, you don’t need to follow store policies to use the snapcraft tool itself; it’s just the publishing on the store that gets reviewed.

Thank you. I think this System Files can be an start. Move items from /var to /etc is as simple as changing one line in a configuration file. If I understand you well, the “classic” items are not relevant to the app kind or category; they are merely snap decisions that are not required at all (I’m sorry if this seems ridiculous).
I’ll continuing migrating this application and its dependencies to snap; I may need more help if I need to make use of low level network access (layers 2 to 7) or run sand-boxing (for malware analysis) inside the snap. Thank you one again.

I don’t think System Files is limited to /etc, you’d probably be able to use it with /var all the same.

By itself, classic just means running outside of any sandbox, meaning the snap has the same permissions as the user running it, rather than dropping a load of permissions as a strict snap would.

By store policy, this is usually things like build systems, compilers, IDE’s, etc.

There’s technical reasons that go along with it; using classic is essentially binary patching your executables to use the snaps specific runtime environment. Some specific executables might not respond to this as well as others. And in terms of specific programs, you might end up having a situation where e.g it’s easier to use a layout to redirect a folder than it is to recompile the program to look elsewhere. A lot of these are case-by-case however.

Fundamentally though, outside of technical reasons, the store policy is that classic snaps must fit in one of the supported categories here.

But again, that’s only for distributing on the snap store. If youre happy for people to download manually and install with --dangerous, there’s nothing technically stopping you from building a classic snap and just hosting the file on Github, aside from the user experience of doing so.

I’d recommend if you are trying with strict confinement (which you should be, since trying strict first and failing is one of the checks before granting classic), to install the snappy-debug snap, run it in the background via terminal as you run your snap, and it’ll capture permissions related problems and give feedback for you.

1 Like