We have discussed the idea of being able to constraint auto-connection (or connection or installation) on actual plug names or slot names.
Use cases
Plugs of superprivileged interfaces that don’t need parameters/attributes should have names that match the interface name. This is good style and makes it clearer what they are about. The feature would allow to enforce this when granting them.
When we grant something like system-files/personal-files we want to enforce again a good plug name that describes within reason what is being given access to.
In case of gadget snaps or snaps designed for one or a given set of models (so from a brand store) and assuming well chosen names for slots, this feature might help disambiguate auto-connection situations where other means would not be enough.
Syntax
Parallel to similar constraints like plug-attributes/slot-attributes we would introduce plug-names and slot-names constraints.
Their value to check would be a list of strings, interpreted as regular expressions (implicitly wrapped in ^$). The constraint would succeed if any of the expression matches. It should be noted that any valid plug or slot name is a valid regular expression matching itself.
Further we would also allow for the strings the special value $INTERFACE which matches the interface name of the rule.
(There’s a less clear case for $PLUG_NAME, $SLOT_NAME special values).
Examples
snapd-control:
allow-installation:
plug-names:
- $INTERFACE
allow-auto-connection: true
personal-files:
allow-auto-connection : true
allow-installation:
plug-names:
- home-dot-bar
plug-attributes:
read: \\$HOME/\\.bar
gpio:
allow-auto-connection:
slot-names:
- alert-led
personal-files:
allow-auto-connection : true
allow-installation:
- plug-names:
- home-dot-bar
plug-attributes:
read: \\$HOME/\\.bar
- plug-names:
- home-dot-foo
plug-attributes:
read: \\$HOME/\\.foo