Request for classic confinement of butil


I want to make backup software available for Ubuntu and since it neads backup user data, it needs access for home directory and possibility to mount CIFS and other share, spawn 7-zip and be able to execute arbitary user defined script for mounting/unmounting other possible destinations for backup.

I finally made snapcraft that is working, learned a lot about snap and linux in general, however i must admit huge amount of time required for preparing snap for small app.

Currently I tried to convert confinement classic snap into strict and face lots of issues.

  1. Significant efforts to declare it. Its size increased by this.
    interface: personal-files
    - $HOME/

    command: bin/butil-ui.Desktop
      - desktop
      - cifs-mount
      - home
      - personal-files-specified
      - network
      - removable-media
      - shutdown
      - wayland
      - avahi-observe
      - dcdbas-control
      - desktop-launch
      - dm-crypt
      - framebuffer
      - fuse-support
      - hardware-random-observe
      - hidraw
      - kernel-crypto-api
      - personal-files
      - screen-inhibit-control
      - scsi-generic
      - x11

      - libx11-6
      - libstdc++5
      - libice6
      - libsm6

But it does not work great with .Net.

  1. Icons in AvaloniaUI does not work because system fonts does not load and it fallbacks to default fonts.

  2. Video, Pictures, Documents, etc folders are resolved as empty, which is kind of broken support for emulation of it in snapd.

  3. Fonts cannot be loaded in child dialogs (!)

  4. Spawn of child process declared in snap (!) does not work in strict confinement.

So probably better not go into this sctrict area at all and have classic confinement. Therefore I’m here.

Hi, according to Process for reviewing classic confinement snaps , Classic requests should fall under at least one of the supported categories. Could you please clarify if butil fits within any of the supported categories? Thanks.

Hi @cav , this tool does not fall under any of the supported categories. It’s backup tool.

I am wondering if the system-backup interface can assist with some issues you might be facing. This interface provides read-only access to the system via /var/lib/snapd/hostfs. The process-control interface additionally enables system-wide process management which could also rectify issues.

Hi @siarhei_kuchuk ,

Could you analyze @cav suggestions?


@emitorino, @cav

Tool does not fall within any categories created for classic confinement applications. I mean that its a show-stopper. Isn’t it.

system-backup interface will not help, because i want user to specify folders he want to backup, I don’t want user to expose entire system, with which he will be able to circumvent security by backupping system and having access to it. The interface itself is a security vulnerability. Also situation with empty folders was resolved in .Net 8 (which is still not available for snapped applications in core22 or whatever comes next).

Thanks for suggestion about process-control . Its definitely worth looking into.

There’re some issues with mount scripts execution and AvaloniaUI library child dialogs and broken fonts support for strictly confined snap child dialogs. I spent more than a month trying to resolve it. For me that’s a lot of time, so I’m not ready to dig into this, i.e. investigate cases, create tickets for strictly confined apps not able to launch scripts, fonts staff.

Currently I’m releasing snap in classic confinement on github as archive along with command line describing how to install. So anyone can find software there will be able to install it.

Although classic can’t be granted as the snap doesn’t fit directly in one of the supported categories, there may still be some alternate solutions.

In regards to wanting users to specify folders/files:

  • Perhaps using portals (XDG desktop portals) may suit your snap instead of system-backup in your case as this enables users to select which files or folders to access.

Additionally, it looks like there was a recent dontnet-sdk snap release with a channel for 8.0 that may help fix some of the mentioned issues.