Request for classic confinement for "proaction"

Hi all,

I’d like to request class confinement for the “proaction” snap. Proaction is a command line utility to work with any local git repo to help manage .github/workflow files. I’d be happy to use strict confinement, but the value of the “proaction” utility comes from it’s ability to update, in place, the workflow files that the user has checked out. Developers and uses may have their git repos in their home directory, but Proaction needs to read and write to git repos, wherever the user already has them checked out.

Thanks!

I’d be inclined to document that the snap can only access specific paths and retain strict confinement. The home interface and removable-media interface should cover most user-facing paths that a person is likely to want to write to.

1 Like

Hi Daniel, Thanks for the quick response.

I understand that approach to add some limitations to the product in order to retain strict confinement, but we do want Proaction to be compatible with the directory structure and code layout that a user already has on their workstation. If the code is not under $HOME (or removable media), this confinement would require that the user either finds a different way to install Proaction or change where they store code on their workstation.

I understand the --classic flag allows for much more access than we want here, but there are use cases where this is desirable. I know that some people (myself included) mount an external disk (not removable, but just a different block device) to a directory such as /go and use this as my $GOPATH. With the strict confinement, I’d have to change my directory structure in order to use Proaction, which would be undesirable.

Its only a request to get access to more directories, outside of $HOME and removable media, but absent a way to do this in strict confinement, we’d still like to request classic confinement to meet this use case.

Thank you.

For the case of a path such as /go you could bind mount this to /home/user/go or similar and use this as GOPATH for strict confinement. classic confinement for development tools is more suitable for tools which need to execute arbitrary binaries from the host etc as explained in Process for reviewing classic confinement snaps - if you feel that proaction does fit within the known categories for classic confinement can you please detail that here so we can understand these requirements?

@marcc - in addition to others comments, I think it might be helpful if you sketched out a few typical use cases that demonstrate what the tool does, how it works and why classic is required. Based on the information given, it seems like plugging home and removable-media would be sufficient for strict mode, but I feel I am missing some important details (eg, what is a ‘workflow’ in proaction parlance?).

@marcc this request cannot proceed without a response from you - can you please respond to the questions above?

Thanks for the responses. We are taking a different path here and no longer requesting any assistance.