MysteryMentor: Request for classic confinement

I’m -1 on this request, whilst the project is in development it’s impossible to distinguish between a genuine use case and a malicious attacker.

I’m also -1 on this until you can clearly define why it needs classic, and the home interface isn’t sufficient.

While in development, use confinement: devmode; once everything is working, if you’re having trouble dropping it to strict, we’ll be more than happy to help you figure it out.

I’ve written a simple go program, which returns the current user directory, like pwd:

package main

import (
	"fmt"
	"os"
)

func main() {
	pwd, err := os.Getwd()
	if err != nil {
		fmt.Println(err)
	}
	fmt.Println(pwd)
}

Then I’ve tried to launch this program and got the following result:

$ pwd
/root
$ main // binary 
/root
$ main // using snap
/var/lib/snapd/void

I’ve built this snap using confinement: strict with the home interface.

How can I get the current user directory?
Because mysterymentor works with user’s git repository and needs to know in which directory the user now.

void is the working directory of the strictly-confined snap app, if the user’s working directory is not visible to the confined app.
Adding the home interface should help.

1 Like

I’d suggest you give Security policy and sandboxing a read, particularly the “Debugging” section.

I already use the home interface in the snap, but I can’t understand how I can get the current user directory from my application?

I launch the application and want to get the directory in which the user now.
In the example above, I want to get the /root directory when I launch my application, but I got /var/lib/snapd/void.

I built your program, and ran it from inside a strictly-confined snap that has the home interface, and it printed the current directory of the user (both as a regular user, and root).

The home interface does not, and should not, allow access to /root.

unless the user is root:

$ sudo su - root
root@fleet:~# snap run --shell firefox
root@fleet:/root# pwd
/root
1 Like

I stand corrected :slight_smile:

Thank you. I’ve found a bug in the docker container where I tested.

Now, when I push the snap I see the following error:

Pushing mm-dev_0.99.0-3-gf05cea9.snap
After pushing, an attempt will be made to release to 'stable'
Preparing to push '/Users/mgrachev/dev/go/src/github.com/evrone/mm-cli/scripts/tmp/dist/development/mm-dev_0.99.0-3-gf05cea9.snap' to the store.
Found cached source snap /Users/mgrachev/.cache/snapcraft/projects/mysterymentor-dev/snap_hashes/amd64/7751bd07d9903ddbed238e3064fb4b43f7c37a33e9ed5db11643ff81b73ef9c3958fad634abaf3a73af636be67806008.
Generating xdelta3 delta for mm-dev_0.99.0-3-gf05cea9.snap.
Pushing delta /Users/mgrachev/dev/go/src/github.com/evrone/mm-cli/scripts/tmp/dist/development/mm-dev_0.99.0-3-gf05cea9.snap.xdelta3.
Pushing mm-dev_0.99.0-3-gf05cea9.snap.xdelta3 [=========================================================================================================================================================================================] 100%
Processing...|
Will need manual review...
The Store automatic review failed.
A human will soon review your snap, but if you can't wait please write in the snapcraft forum asking for the manual review explicitly.
If you need to disable confinement, please consider using devmode, but note that devmode revision will only be allowed to be released in edge and beta channels.
Please check the errors and some hints below:
  - unknown entries in snap.yaml: 'parts'

My snap.yml looks like:

name: mysterymentor-dev
version: 0.99.0-3-gf05cea9
summary: Mystery Mentor client (development)
description: Mystery Mentor client (development)
confinement: strict
architectures:
- amd64
apps:
  mysterymentor-dev:
    command: 'mm-dev '
    plugs:
    - home
parts:
  git:
    plugin: autotools
    build-packages:
    - dh-autoreconf
    - libcurl4-gnutls-dev
    - libexpat1-dev
    - gettext
    - libz-dev
    - libssl-dev
    source: https://github.com/git/git/archive/v2.18.0.tar.gz

What I am doing wrong?

On the dashboard of the snap, I see the warning:

unknown entries in snap.yaml: 'parts' lint-snap-v2_unknown_field

your indendation for the list underneath build-packages: is wrong, it needs to be indendet by two more spaces…

that’s not the issue at all. The problem is that there is a parts block in snap.yaml - parts is a snapcraft.yaml build-time definition that should not propagate into snap.yaml.

oops, indeed, nobody should touch snap.yaml by hand, i kind of assumed snapcraft.yaml and mis-read …

I use the special tool for creating snaps - goreleaser, which uses the command snapcraft pack to make the snap file. How can I fix that to use parts in my snap file?

Can I build parts before the command snapcraft pack?

@mgrachev are you still stuck?

You mentioned parts in your snap file. As Dan mentioned, parts are a snapcraft thing, not a thing that goes in the snap.yaml.

Can you detail exactly what stage you’re at and if you still need assistance?

Thank you all for help! I removed the git dependency and everything worked.