reasoning: There are two commands packaged with Bak8 for long-term and adhoc backups, respectively: bak8 and bak. The bak8 tool essentially acts as automation for rsync while bak acts as automation for cp with file rotation. Both allow the user to arbitrarily read from anywhere on the filesystem that they want to archive.
I understand that strict confinement is generally preferred over classic.
I’ve tried the existing interfaces to make the snap to work under strict confinement.
If these commands only require read access from the filesystem, the system-backup interface should be able to be used to look at everything via /var/lib/snapd/hostfs/.
I came across this last night! I must have missed it last year when I was trying out different options.
I think a combination of system-backup for reading and removable-media for writing might be what I need for bak8.
The adhoc bak utility writes files in place and I’m not seeing an interface for something like that. If bak8 can be more strictly confined, I’m wondering if breaking bak off into its own snap with classic might be the more secure option there.
hi @asmov - Let us know if you have any issues or more questions with making bak8 fit under strict confinement because that is the best outcome! (#askForInfo)
As for bak, you are correct, we don’t have an interface that allows arbitrary writes to the fs. For that, it would require classic and to fit under a supported category as per Process for reviewing classic confinement snaps
