Request for classic confinement for sbctl

store-requests
#1

Hi, I’m requesting classic confinement for https://snapcraft.io/sbctl/ I’m not the official developer, but I use this app and wanted to make it easier to install by default on ubuntu.

Sbctl is a secure boot manager that helps you enroll your own custom keys. GitHub - Foxboron/sbctl: :computer: :key: Secure Boot key manager

So, the reason why it needs classic confinement is because of the need to access the ESP partition to sign the boot executables, and also to enroll the keys. To my knowledge, there is no interface to allow that. Thanks!

#2

The system-files interface should be able to grant access to the typical mount points that ESP partitions use…

#3

I was under the assumption that the system-files interface was only for /etc and not any other folders? Also, it says that it’s specifically not for folders that the snap is not the clear owner.

#4

Technically there is no limit to what system-files can access and granting an exception to any rule around the interface is still better than making it classic…

2 Likes
#5

@techytips have you tried using system-files ?

#6

Well, I just did some more research and it appears that /boot is not allowed to be created (It 's a new top level directory, but I might be wrong. Also, /boot seems to be banned from being a target path too.

#7

you are talking about layouts i’m talking about system-files :wink:

#8

I’m sorry. I just can’t seem to get it to work even with the system files interface setup, I’ve added it, and also connected the interface. When I run lsblk inside the snap, it seems like the base snap (core22) overrides the path.

image
image789×405 20.4 KB

#9

Here’s my snapcraft.yaml as well:

image
image2548×843 68 KB

#10

Heh, yeah, you did not talk about lsblk calls before :slight_smile:

Install the snappy-debug snap and run the same named tool from it in a second terminal while running your app, that should give you suggestions about additional interfaces you need to define and connect.

#11

@techytips ping,

Are you still experiencing issues? Did you run snappy-debug as suggested?

#12

Really sorry about not answering this. I’ve been busy with stuff and haven’t had the energy to try to figure out sbctl in a snap. Also, I found out that since I was using WSL ubuntu, it lacks the apparmor kernel support so snappy-debug would never report any violations. I had to use a bare metal install or virtual machine. :frowning: