This works fine in devmode. For testing I released the app to beta channel and I see this issue.
Not sure, how with devmode path to ‘df’ system binary / utility but not when on beta channel.
in strict mode access to the df binary from the core snap is not allowed (–devmode drops all restrictions but prints ALLOWED messages in your journal for each access that would normally be forbidden) … so you need to ship df via a stage-packages: entry, then you can call it from inside the snap ($SNAP/bin and $SNAP/usr/bin are transparently added to your PATH when running a snap) df is in the coreutils deb, just add it to your stage-packages:
because they need highly privileged interfaces … snap commands can not be executed at all … you need the snapd-control interface that grants you access to the snapd REST API which is not available via the global store, this requires a brand store …
for dmidecode you need:
the dmidecode binary insde your snap
the hardware-observe interface that grants read access to /sys/firmware/dmi/tables
the actual file permissions to access the above dir (which is why i assume you call sudo in the command … which does not really work inside snaps (no access to /etc/sudoers and the like))
obviously C) isnt easily solvable, you could create a service (daemon: simple) for this and talk to it through a socket (or dbus if you like it more complex) from your userspace program so the userspace part does not need to elevate privileges itself.
You don’t need to ship ‘df’, the ‘mount-observe’ interface allows access to it. It is a bug in snappy-debug that it isn’t suggesting it (for which I’ve taken a TODO to fix).
If doing this, please perform some sort of permissions check otherwise your snap provides privilege escalation for all users on any system it is installed on (the permissions are what they are for a reason :). One way to do this is if using the socket, look up the PEERCRED (man unix) to get the uid, then you can use id <uid> to see the group membership for the user. You might, for example, see if the user is in the ‘sudo’ group. This isn’t perfect since, of course, there is no password prompt, but it is something.