The readonly access is clearly needed and I’m inclined to vote in favor of granting an installation constraint for read-only access to ~/.aws, but I’m somewhat hesitant because sam-cli is not the clear owner of this directory and this directory contains very sensitive information that would give the snap access to run up charges in AWS. I may feel less concern about this if the snap were named after the upstream project, aws-sam-cli. That said, the snap’s description is (currently) “The AWS SAM CLI tool for the AWS Serverless Application Model” so it isn’t trying to hide anything. Also, @stilvoid is in the process of upstreaming the snap packaging: https://github.com/awslabs/aws-sam-cli/commit/d48992ef6acdc2eceb739176bda92f1f3dd55d82
@stilvoid - Why did you choose to name the project sam-cli instead of aws-sam-cli?
As for auto-connection, I’m disinclined to grant auto-connection because the snap is not the clear owner. It is also easy for the snap to determine if it has read access, understand that it is a snap, and tell the user “Access denied to ~/.aws. Please run: sudo snap connect sam-cli:personal-files”. Personally, that would actually build confidence that the project cares about the security of this very sensitive data. Before I vote, I’d like to hear what an architect has to say (cc @pedronis).
Note that personal-files is new and we are still defining the processes around it. We’ve identified that personal-files is being used by more than just ‘owners of the directory’ as can be seen from sam-cli, Kubicorn and kubefwd.
(@stilvoid - feel free to ignore my comments from here down)
@pedronis, @mvo (who created the interface) - should snapd be updated so that a snap declaration can express the interface reference in its policy? Ie, let’s say we dictate as a matter of process for snaps like this that a snap use a particular interface reference, like so:
name: foo
summary: application for building upon bar
plugs:
home-dot-bar:
interface: personal-files
read: [ $HOME/.foo ]
such that snap interfaces
would list:
$ snap interfaces
...
:personal-files foo:home-dot-bar
and users connect would snap connect foo:home-dot-bar
. Currently, by design, there is no way to reference home-dot-bar
in the snap declaration. Eg (written as yaml instead of json for easier reading):
personal-files
allow-auto-connection : true
allow-installation:
plug-attributes:
read: \\$HOME/\\.bar
interface-reference: home-dot-bar # doesn't exist
@pedronis, I could introduce this in the review-tools with an override mechanism in the short term, but this isn’t scalable (not to mention, getting the changes into prod in the store takes days) and I feel this needs to be enforced by snapd. At what priority should this be implemented? Who would pick up that work? (that can of course be discussed elsewhere).
@pedronis - specific to this request, how do you feel about the installation constraint? manual vs auto connect? How does that change if the above were implemented, if at all?