Request for classic confinement: parsec

store
5

Thanks a lot for the link on github issue comment, this gives me more understanding of the fuse interface :wink:

Can you give precise details on how the mounts work (eg, mountpoints, mount options, etc)?

Here is how works the application:

  1. user starts the application
  2. application display a login page
  3. user logs in
  4. application loads the user’s configuration including the path where fuse should be mounted (let’s say $HOME/parsec-mnt for instance). It’s totally acceptable to force the user to only mount in his home or in the /media/<username>/ folder.
  5. application starts fuse (application is in python and I use the fusepy library as a slim wrapper on libfuse), this exposes the user’s data. Using mount -l I got:

FuseOperations on /home/touilleMan/parsec-mnt type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

  1. user can decide to logout (to login as another identity for instance). This cause the application to stop the fuse and unmount the fuse mountpoint

From what I understood, snap fuse interface:

  • is not connected automatically, meaning user should do an additional manual operation once the snap installed to enable this. I guess the manual phase has to be done only once (and not each time the application is started or each time snapd is restarted). This still leave me puzzled with the Can mount fuse filesystems (as root only). documentation sentence about the fuse-support interface. Does this means once the interface connected, the application must be run as root (typically by having snapd prompt a root password box before actually running it) ?
  • doesn’t support unmounting (even if the mountpoint has been mounted by the same process like in my usecase). This is not compatible with the logout phase of my application. BTW, this is still a bit strange for me given I would say not unmounting your fuse before closing an application can leave a zombie mountpoint (i.e. ls on the path ends up with a Transport endpoint is not connected error), I got the case when using SIGKILL on my application. Is there something I’m missing there ?
  • you wrote in the github issue Furthermore, the snap-confine command creates a new mount namespace so the fuse mounts aren’t accessible to other processes outside of the app’s process. Does this means the fuse mountpoint wouldn’t be accessible from 3rd party applications (for instance opening a text file with vi or reading a movie with vlc ?). If so this would make fuse pretty useless so I guess I read this wrong :wink:

Of course your request for classic means that the snap wouldn’t be available on classic either.

I’m not sure what you mean by that…