Read, write file from snap


is-it possible to access to file user using snap “strict” ?

I tried :

          - system-files:
            read: [/etc/somefile]
            write: [/etc/somefile]

I have this message :

    Bad snapcraft.yaml content:
    - string type expected


It’s hard to say what’s happening given the snapshot you provided, but I think what you’re intending is a plug that looks as follows:

    interface: system-files
    write: [/etc/somefile]

Note that the interface name is listed under interface here - immediately below plugs is the name of your plug (something you come up with, not the interface name).

Additionally, write access automatically grants read access, so you don’t need to declare both read and write access for the same file.

You can see a working example in the Chromium-browser snapcraft file:

Please note that the system-files interface is both not auto-connected and is considered super-privileged, as it’s rare that an application actually requires this. For Chromium, for example, the snap can only read from a particular directory in order for system administrators to set policies. It’s not actually necessary for the operation of the browser itself, just for system administrators to enforce configuration.

As such, it may be important to consider whether you actually need to access files in the real /etc directory. You may have a good reason to do so, but if your reason is, for example, "I’m packaging a piece of software that stores its configuration in /etc" a better option is to use layouts to ensure that when the app tries to access /etc/somefile it actually accesses a file inside the $SNAP_DATA directory. This retains confinement for the snap, so it’s a much preferred way to do it. If the reviewers don’t think your app needs real access to /etc, you’ll end up having to change it anyway, so I thought it would be worth letting you know now so you don’t do any unnecessary work :slight_smile:

1 Like