Request - Interface Personal-files: read-write

warrensbox · July 5, 2021, 7:24pm

Hi, I’m the developer for warrensbox.
For my tfswitch application, I need access for my application to read and write to $HOME/bin

What is tfswitch?
The tfswitch command line tool lets you switch between different versions of terraform.
If you do not have a particular version of terraform installed, tfswitch will download the version you desire.
The installation is minimal and easy.
Once installed, simply select the version you require from the dropdown and start using terraform.

https://tfswitch.warrensbox.com/ for more info.

Why I need access to $HOME/bin/?

tfswitch downloads the terraform binary into $SNAP_USER_COMMON/.terraform.versions
Next tfswitch created a symlink /usr/local/bin/terraform -> $SNAP_USER_COMMON/.terraform.versions but not all users have access to /usr/local/bin/.
So, tfswitch lets users to pass in their custom bin location. For example - $HOME/bin. User would later add $HOME/bin to their $PATH.
For users that install tswitch with snapcraft, even if users are able to pass their own custom bin location ($HOME/bin), snapcraft does not let you create a symlink.

My solution was to use interface: personal-files to read and write to $HOME/bin . That way tfswitch can still create a symlink for users while not being overly obtrusive.

Here the snippet of what I have:

plugs:
 home-bin:
   interface: personal-files
   read:
   - $HOME/bin
   write:
   - $HOME/bin

I appreciate any suggestions. Thank you!

warrensbox · July 7, 2021, 1:04am

Hi @emitorino,

I was wondering how the snapcraft review process works. I have submitted my proposal. But when and how will I know if this is looked at?

Any reply would most certainly help.

Thank you.

emitorino · July 7, 2021, 1:54pm

Hey @warrensbox, thanks for your post!

So there is a process involved in reviewing requests, here you can find the details about this specific one (use/auto-connection of interfaces).

You will hear from us soon! Thanks!

emitorino · July 15, 2021, 4:15pm

Hey @warrensbox,

I see you could achieve your needs by plugging personal-files, but it does not look like the correct approach. The personal-files interface, is typically used to provide read-only access to top-level hidden data directories within a user’s real home directory in order to support importing data from existing applications where the snap is the clear owner of the target directory.

Have you explore the possibility of shipping the desired terraform versions into your snap instead? (i.e., add to stage-packages (if needed you can add apt repositories), or even build from source?)

alexmurray · July 26, 2021, 4:34am

@warrensbox - ping, can you please provide the requested information?

warrensbox · July 28, 2021, 5:15am

@emitorino suggested shipping the desired terraform versions into your snap instead?

this would be hard as there are many terraform binaries - https://releases.hashicorp.com/terraform/
a cumulation of the terraform binary would make tfswitch too large

warrensbox · July 28, 2021, 5:15am

Is there another way?

ogra · July 28, 2021, 9:31am

the $HOME/bin path is fully writable through the normal home plug, there is no need at all to use personal-files since ~/bin is not a hidden dir. just add the home plug to your app …

warrensbox · July 30, 2021, 5:02am

I will test this out and get back to you shortly

alexmurray · August 4, 2021, 6:44am

@warrensbox - were you able to get this working? Can you please update this thread with the current status? Thanks.

warrensbox · August 10, 2021, 4:53am

@alexmurray I am still having issues.
Snap is unable to create a symlink from ~/bin (/home/ubuntu) to /home/ubuntu/snap/tfswitch/common/.terraform.versions/terraform_1.0.4

This is my yaml file: https://github.com/warrensbox/terraform-switcher/blob/master/snapcraft.yaml

ogra · August 10, 2021, 9:47am

$ snap run --shell picviewer
...
$ echo $HOME
/home/ogra/snap/picviewer/17
...

note that ~/bin might not point to where you expect it to point (and that dir might not exist in that path either)

what you could do its to make your app call out to getent like:

$ getent passwd $USER|cut -d: -f6
/home/ogra
$

to get the correct path here …

warrensbox · August 11, 2021, 11:54pm

You are right it’s referencing: /home/ubuntu/snap/tfswitch/49

I need to get getent passwd $USER|cut -d: -f6 working with golang. Otherwise I won’t be able to get to the actual ~/bin directory

ogra · August 12, 2021, 12:09am

there is surely a getent implementation for go, the rest is just string parsing …

warrensbox · August 12, 2021, 12:22am

Wait, this should work right? SNAP_REAL_HOME=/home/ubuntu

It looks like SNAP_REAL_HOME points to the user’s home dir not snap’s home. I’ll give that a shot

warrensbox · August 12, 2021, 1:57am

@ogra

I tried the method you suggested but snap has no write access to /home/ubuntu/bin (~/bin) .
What I am trying to do is create a symlink /home/ubuntu/bin/terraform -> /home/ubuntu/snap/tfswitch/common/.terraform.versions/terraform_1.0.3
Here’s my syntax:

apps:
  tfswitch:
    command: bin/tfswitch
    plugs:
      - home
      - network
      - network-bind

Here is the connection output:

ubuntu@ip-172-xxxxx:~$ snap connections tfswitch
Interface     Plug                   Slot           Notes
home          tfswitch:home          :home          -
network       tfswitch:network       :network       -
network-bind  tfswitch:network-bind  :network-bind  -

github.com

warrensbox/terraform-switcher/blob/master/snapcraft.yaml

name: tfswitch
version: '0.12.04'
summary: A command line tool to switch between different versions of terraform
description: |
  The `tfswitch` command line tool lets you switch between different versions of terraform(https://www.terraform.io/).
  If you do not have a particular version of terraform installed, `tfswitch` will download the version you desire.
  The installation is minimal and easy.
  Once installed, simply select the version you require from the dropdown and start using terraform.
architectures:
  - build-on: [amd64,arm64]
    run-on: [amd64,arm64]
assumes: [snapd2.45]
base: core18
 
grade: stable
confinement: strict

# plugs: //need snapcraft to make this work
#   home-bin:
#     interface: personal-files

This file has been truncated. show original

lucyllewy · August 12, 2021, 1:15pm

I think this might be a bug in snapd/apparmor - it is specific to creating a symlink in $HOME/bin. Making a symlink elsewhere seems to work just fine.

James-Carroll · August 12, 2021, 1:31pm

Access to $HOME/bin is explicitly excluded by the home interface.

github.com

snapcore/snapd/blob/4eb033215904732f899b324e7954a1c7724329b4/interfaces/builtin/home.go#L81


# that require this transitional interface.
owner @{HOME}/snap/ r,
# Allow access to gvfs mounts for files owned by the user (including hidden
# files; only allow writes to files, not the mount point).
owner /run/user/[0-9]*/gvfs/{,**} r,
owner /run/user/[0-9]*/gvfs/*/**  w,
# Disallow writes to the well-known directory included in
# the user's PATH on several distributions
audit deny @{HOME}/bin/{,**} wl,
`
const homeConnectedPlugAppArmorWithAllRead = `
# Allow non-owner read to non-hidden and non-snap files and directories
capability dac_read_search,
@{HOME}/               r,
@{HOME}/[^s.]**        r,
@{HOME}/s[^n]**        r,
@{HOME}/sn[^a]**       r,
@{HOME}/sna[^p]**      r,

warrensbox · August 16, 2021, 11:21pm

Thank you for clarifying this. I wish this was clarified sooner. It would have saved a lot of debugging time

James-Carroll · August 16, 2021, 11:29pm

Is it possible you could rely without the home interface and just use personal-files in this instance?

I’m not an expert here, but my assumption would be that an explicit denial is stronger than an explicit allow. Since the denial comes from the home interface itself, if you do without it, then the personal-files interface might work on the basis it’s an explicit allow that’s more specific than the usual base policy.

Obviously this is a solution that I wouldn’t be suggesting for any generic application because it’s cutting you off from the rest of $HOME (apart from $SNAP_USER_COMMON and $SNAP_USER_DATA), but having briefly read your requirements, maybe it’s good enough here?