Request for classic confinement of owwatcher

owwatcher needs to be able to read arbitrary locations on the filesystem (particularly /tmp). owwatcher can likely just use the system-backup interface once it becomes available, but must be classic until then.

Note that the snap already has access to /tmp, but /tmp within the the snap’s runtime is snap-specific and not /tmp from the system (but the host’s /tmp is available in /var/lib/snapd/hostfs/tmp).

What does this snap do and what specific accesses are required? Directory access? File access? All access?

What does this snap do and what specific accesses are required? Directory access? File access? All access?

This snap uses inotify to monitor a user-specified directory (usually /tmp) for the appearance of world writable files or directories. This is useful for identifying potential symlink race or TOCTOU vulnerabilities. It needs read-only file and directory access.

(but the host’s /tmp is available in /var/lib/snapd/hostfs/tmp)

While owwatcher can watch any directory, in practice it will likely only be used to monitor /tmp and/or the directory specified by a user’s $TMPDIR environment variable. If /tmp is available in /var/lib/snapd/hostfs/tmp, it may be sufficient to use the ‘home’ interface and read the host’s /tmp without being a classic snap. However, the documentation for the ‘home’ interface says it “allows access to non-hidden files”. I’m assuming that “hidden files” in means “files begining with a ‘.’ character” Applications might create hidden files in $TMPDIR/, in which case the ‘home’ interface is insufficient.

Sorry, I wasn’t clear. /var/lib/snapd/hostfs is available in the runtime environment, but as of today, not via any interfaces. Curious if you add /**/ r, to the policy in /var/lib/snapd/apparmor/profiles/snap.owwatcher.owwatcher if you have the necessary access?

Adding that rule to the apparmor policy allows owwatcher to read /var/lib/snapd/hostfs/tmp, but it can’t recursively read all of the files in /tmp. For example, there’s a directory owned by my user with 700 permissions and the snap is unable to read into that directory, even when run as sudo owwatcher