Need a way to turn off confinement while allowing updates

ted · May 7, 2020, 2:46pm

It seems there have been changes in snapd (not sure when) that have made it so that snaps that are confined can no longer be installed with the --classic argument to remove confinement. For the Inkscape snap we have long recommended this as a technique to use the snap, but allow it to integrate more completely with the system overall. While --classic is undesirable from a security perspective, I think that forcing a user to install at the command line and use a custom flag is discouragement enough to make it a rare occurrence. The snap is still a security win in that the user gets more up-to-date software installed, as the fallback is AppImage. I believe that this change should be reverted.

A little more in-depth on the requirement. Inkscape has an extension system that allows for effect, open and save, and printing extensions. These take a variety of forms, and for custom devices like vinyl cutters can even involved proprietary dependencies. We can not include all of these in the snap. So typically users will get their system working with all of those dependencies, and then using Inkscape on top of them. Generally I’d like this to be with the snap.

ogra · May 7, 2020, 2:50pm

unlike some random sources on the internet might suggest, this was never actualy supported … it worked (in a very broken way) for a short period of time due to a bug that was fixed quite a while ago (2017 ??) …

… note that your snap packaging has to be completely different from the ground up when using classic … even if that switch would work again you would end up with broken behaviour of your snap

ted · May 7, 2020, 3:33pm

One of those is the Inkscape website. And it still does state that.

So is there a way to enable the bind mounts but not the apparmor restrictions?

ogra · May 7, 2020, 3:46pm

better fix that then

no, you either package for classic or for strict … both at the same time isn’t possible and both cases behave different at runtime (different wrappers that get executed, different env setup etc), they have never been interchangeable … thats why there is a confinement: setting in every snapcraft.yaml …

EDIT: to have degraded strict confinement you can use --devmode indeed … but thats not the same as classic … it just drops apparmor to complain mode but behaves otherwise the same.

ted · May 7, 2020, 4:11pm

This sounds like what we need. And apparmor complaining won’t really effect users that much as they’re not seeing the command output (or logs really).

What would be nice is if there was a new option --unconfined that worked like --devmode but output the complaining to /dev/null.

ogra · May 7, 2020, 4:15pm

note that snaps in --devmode will not auto-upgrade anymore (unless that has changed recently)

ted · May 7, 2020, 4:17pm

Is there a reason for that? Becomes hard to recommend to folks, they might as well just use the AppImage that that point.

ogra · May 7, 2020, 4:23pm

there was a discussion somewhere here in the forum about the reasoning but i cant find it now but i promise it is there somewhere …

you can still snap update inkscape --devmode indeed, it will just not do it on its own.