Read permission


#1

greetings, my app needs read permission for the directory containing the executable ($SNAP/current). this can be accomplished with classic confinement, but is there a way with strict confinement?


#2

This is enabled by default for all snaps (else you would not be able to actually execute them, they must be able to read the path of the binary you execute, the libs that binary uses etc) …

what is the exact issue you see, is there an error you could post here ?

(and classic confinement would likely not make much of a difference here)


#3

here my yaml code:


grade: devel
confinement: strict

parts:
tdhcad:
plugin: dump
source: TdhCad_linux64.zip
stage-packages:
- libwxgtk3.0-0v5
- libcairo2

apps:
tdhcad:
command: TdhCad_linux $SNAP_USER_DATA
plugs: [home, desktop]

the zip file consists of the executable, a shared library and a read only database file. the app expects all theses file to be in the same directory as the executable. the app runs fine in classic confinement, but when run in strict confinement, it produces the following, regarding the shared library.:

TdhCad_linux: error while loading shared libraries: ./libTdhCairo.so: cannot open shared object file: Permission denied

i’m supposing that if the shared library issue was resolved by moving it, the app still wouldn’t be able to read the database file.


#4

after working on this further, i find that if i can change the command-tdhcad.wrapper file
from:
exec “$SNAP/TdhCad_linux” “$SNAP_USER_DATA” “$@”
to:
cd $SNAP
exec “./TdhCad_linux” “$SNAP_USER_DATA” “$@”

this will solve the problem. basically, the app needs to be run from the directory containing the app. can you suggest the best way to accomplish this within the yaml code?


#5

create a shell script that does this and replace the command: value with it …


#6

I workaround it somehow:


#7

excellent idea, thank you.


#8

again, thanks so much.