I would like to request classic confinement for my snap uaudit-ci.
This is a tool to run static security scanners on a local codebase or a ci environment. For example, it would run cppcheck on a selected directory and generate a security report of the findings. It therefore needs read access to files and directories in /home. I believe this should fall into one of the supported categories of classic confinement.
Thanks for reviewing.
Hi @flor-cabral .
You mean even the hidden files/directories ?
It might help to state which one exactly you think it fits in, so the reviewers do not need to guess …
@baldeuniversel It needs access to any files the user wants to scan. Hidden files are not the evident use case.
debug tools category might be a good fit.
Okay @flor-cabral .
Let’s ask the @review-team .
Even if uaudit may fit a supported category for classic (let’s skip this discussion for now), I think it may also run under confinement.
You can easily get read access to files and directories in /home (excluding hidden directories) from a strictly confined snap by plugging the home interface. Please, let me know if there is any reason why it would not work in you scenario.
We actually request classic confinement because this project makes use of LXD / multipass as virtualisation backends. If it was only for home access we could indeed use the home plugin but there is more to it.
At least lxd has a snap interface that gives your app access to the REST socket… especially for this use case, not sure if multipass provides something similar though (but that could surely be added if missing)
As @ogra said, lxd and multipass-support insterfaces should help here
@artivis @flor-cabral Did you have a chance to try using the
lxd interface? Unfortunately, I don’t think
multipass-support is suitable since that is designed for the multipass snap itself.
However, from what I understand
uaudit-ci appears to have a requirement for classic confinement as it needs to execute arbitrary binaries from the host and it appears to fit within the supported category of
compilers or perhaps
Debug tools etc - but since it is preferable for snaps to be strictly confined AND it appears that might be possible in this case, we would prefer that you try this first.
Please let me know how you go. Thanks.
Thanks all for your replies.
We will close this request for the time being and evaluate the options you pointed out.