name: my-test version: ‘1.1’ summary: Single-line elevator pitch for your amazing snap description: ‘This is a test snap’
grade: stable confinement: strict
plugs:
lvm-info:*
interface: system-files*
read:*
/etc/**
write:*
/etc/**
parts:
my-test:*
See ‘snapcraft plugins’*
plugin: dump* apps:
ver:*
command: bin/ver*
show:*
command: bin/show*
test:*
plugs:*
- lvm-info*
command: bin/test $1 $2 $3*
and the command test is :
#!/bin/bash
if [ “$1” == “read” ]; then
cat $2
fi
if [ “$1” == “write” ]; then
echo heheh >$2
fi
when I install the snap, it shows:
2021-07-27T18:22:05+08:00 INFO snap “test-common” has bad plugs or slots: lvm-info (cannot add system-files plug: “/etc/" contains a reserved apparmor char from
?[]{}^”)
i don’t think you can use globing (*) in the interface path at the system-files definition, put the full path into the write block instead, delete the read block (write implies read) and name the interface like the actual file path like:
you do snap install snappy-debug and run the snappy-debug command from it in a second terminal while running your application, the output from it should give you some hints about missing interfaces …
the user does not know, you could use a wrapper script that uses “snapctl is-connected …” to check if the interface is connected and show a message in case it is not …
you can also try to ask for auto-connection of the plugs at install time (just change the topic of this thread to become an auto-connection request), note though that for system-files plugs your app needs to be the clear owner of the dir/file the plug permits to get auto connection granted …
@weLees - can you please update this thread on the status for visual-lvm? It would appear from the discussion above that you may have got it working under strict confinement - can you confirm? Thanks.
There is nothing you need to do - thanks for confirming it is working with strict confinement, I will consider this request for classic confinement closed then as it is no longer necessary.
Hi alexmurray,
We have tried all methods to make visual-lvm-remote works on strict mode but failed.
it needs to works with /dev/sdx, /proc/{@id}/mounts, seeks mkfs.xxx to implement all features.
I have to request classic mode for visual-lvm-remote again.
We can’t make it work in strict mode. T_T
As per the Process for reviewing classic confinement snaps, unfortunately the inability to get a snap working under strict confinement is not a sufficient precondition to be granted the use of classic confinement.
Not every application is able to be packaged as a strictly confined snap, and for those that are not, they must have a requirement for classic confinement as per that page - but again, this snap doesn’t seem to need to execute arbitrary binaries from the host or access things outside the snap’s runtime etc. Instead it would seem to need an interface that provides direct access to underlying disk devices. This does not currently exist but perhaps the block-devices interface which provides partition level access may be sufficient?
Also for /proc/$id/mounts you could try using mount-observe.
Hi alex,
It seems that we can ignore the mount case now. But we’ve found the new case :
My snap can not open /dev/mapper/control. It shows “Operation not permitted”.
It looks like it should be possible to access /dev/mapper/control by using the dm-crypt interface - next time can you try using snappy-debug which should automatically suggest such things. Thanks.