MysteryMentor: Request for classic confinement

store
1

Hi there!

Please allow the mysterymentor snap (also mysterymentor-dev and mysterymentor-staging) to use classic confinement.

mysterymentor is the client of the service https://mysterymentor.io, which helps developers work together with their mentors.

mysterymentor uses the current user directory to detect with which project the user works.
Also, for the first time, mysterymentor creates some git-hooks to intercept the user actions with git.
After that, mysterymentor send the user code to the service https://mysterymentor.io.

2

Why wouldn’t a strictly confined snap using the home interface meet your requirements?

Incidentally, the mysterymentor.io website looks particularly vacuous and empty, even for the hipsterish of hipster .io domains!

3

I’ve tried to use confinement: strict with the home interface, but it doesn’t work for me.

mysterymentor always need to detect the directory from which the user launches the mysterymentor.
When the mysterymentor launches in isolated space, it can’t do that.

P.S. This project is still in development.

4

I’m -1 on this request, whilst the project is in development it’s impossible to distinguish between a genuine use case and a malicious attacker.

5

I’m also -1 on this until you can clearly define why it needs classic, and the home interface isn’t sufficient.

6

While in development, use confinement: devmode; once everything is working, if you’re having trouble dropping it to strict, we’ll be more than happy to help you figure it out.

7

I’ve written a simple go program, which returns the current user directory, like pwd:

package main

import (
	"fmt"
	"os"
)

func main() {
	pwd, err := os.Getwd()
	if err != nil {
		fmt.Println(err)
	}
	fmt.Println(pwd)
}

Then I’ve tried to launch this program and got the following result:

$ pwd
/root
$ main // binary 
/root
$ main // using snap
/var/lib/snapd/void

I’ve built this snap using confinement: strict with the home interface.

How can I get the current user directory?
Because mysterymentor works with user’s git repository and needs to know in which directory the user now.

8

void is the working directory of the strictly-confined snap app, if the user’s working directory is not visible to the confined app.
Adding the home interface should help.

1 Like
9

I’d suggest you give Security policy and sandboxing a read, particularly the “Debugging” section.

10

I already use the home interface in the snap, but I can’t understand how I can get the current user directory from my application?

I launch the application and want to get the directory in which the user now.
In the example above, I want to get the /root directory when I launch my application, but I got /var/lib/snapd/void.

11

I built your program, and ran it from inside a strictly-confined snap that has the home interface, and it printed the current directory of the user (both as a regular user, and root).

12

The home interface does not, and should not, allow access to /root.

13

unless the user is root:

$ sudo su - root
root@fleet:~# snap run --shell firefox
root@fleet:/root# pwd
/root
1 Like
14

I stand corrected :slight_smile:

15

Thank you. I’ve found a bug in the docker container where I tested.

Now, when I push the snap I see the following error:

Pushing mm-dev_0.99.0-3-gf05cea9.snap
After pushing, an attempt will be made to release to 'stable'
Preparing to push '/Users/mgrachev/dev/go/src/github.com/evrone/mm-cli/scripts/tmp/dist/development/mm-dev_0.99.0-3-gf05cea9.snap' to the store.
Found cached source snap /Users/mgrachev/.cache/snapcraft/projects/mysterymentor-dev/snap_hashes/amd64/7751bd07d9903ddbed238e3064fb4b43f7c37a33e9ed5db11643ff81b73ef9c3958fad634abaf3a73af636be67806008.
Generating xdelta3 delta for mm-dev_0.99.0-3-gf05cea9.snap.
Pushing delta /Users/mgrachev/dev/go/src/github.com/evrone/mm-cli/scripts/tmp/dist/development/mm-dev_0.99.0-3-gf05cea9.snap.xdelta3.
Pushing mm-dev_0.99.0-3-gf05cea9.snap.xdelta3 [=========================================================================================================================================================================================] 100%
Processing...|
Will need manual review...
The Store automatic review failed.
A human will soon review your snap, but if you can't wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:
  - unknown entries in snap.yaml: 'parts'

My snap.yml looks like:

name: mysterymentor-dev
version: 0.99.0-3-gf05cea9
summary: Mystery Mentor client (development)
description: Mystery Mentor client (development)
confinement: strict
architectures:
- amd64
apps:
  mysterymentor-dev:
    command: 'mm-dev '
    plugs:
    - home
parts:
  git:
    plugin: autotools
    build-packages:
    - dh-autoreconf
    - libcurl4-gnutls-dev
    - libexpat1-dev
    - gettext
    - libz-dev
    - libssl-dev
    source: https://github.com/git/git/archive/v2.18.0.tar.gz

What I am doing wrong?

16

On the dashboard of the snap, I see the warning:

unknown entries in snap.yaml: 'parts' lint-snap-v2_unknown_field
17

your indendation for the list underneath build-packages: is wrong, it needs to be indendet by two more spaces…

18

that’s not the issue at all. The problem is that there is a parts block in snap.yaml - parts is a snapcraft.yaml build-time definition that should not propagate into snap.yaml.

19

oops, indeed, nobody should touch snap.yaml by hand, i kind of assumed snapcraft.yaml and mis-read …

20

I use the special tool for creating snaps - goreleaser, which uses the command snapcraft pack to make the snap file. How can I fix that to use parts in my snap file?