[revoked] Requesting classic confinement for `sam-cli`


#21

That’s looks like something fishy is going on, what is the output of the snap version command in a terminal?


#22
$ snap version
snap    2.38-1
snapd   2.38-1
series  16
arch    -
kernel  5.0.4-arch1-1-ARCH

#23

/cc @zyga @mborzecki Can you shed some light on this one?


#24

Also the output of snap debug sandbox-features would be nice.


#25

Sure

apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 tagging

#26

oookay so I’m guessing the fact that strict isn’t listed in confinement-options is a concern…

Although I have plenty of strictly confined snaps installed so… like I said, I’m quite new to this :frowning:


#27

AFAICT the confinement are partially working under Arch, this means you may find something not confined as expecting.

So are the files under $HOME/.aws are accessible under the snap run --shell environment?


#28

Ok so that’s not so bad. I think I can get this snap working once I’ve got $HOME pointing to the real home :slight_smile: I’ll let you know soon!


#29

Ok, I’ve got it working, thanks for the help!

Here’s the snapcraft.yaml if you care to provide any feedback: https://github.com/stilvoid/aws-sam-cli/blob/add-snapcraft/snap/snapcraft.yaml

I cancel my request for classic confinement :smiley:


#30

test it on a distro that supports strict confinement though :slight_smile:


#31

Reading through this thread, it seems that use of personal-files for readonly access to ~/.aws should probably at least be granted a snap declaration for installation. I’m not sure yet if this interface should be auto-connected (~/.aws can contain some pretty sensitive data that could cost people money of if the data were stolen). That said, please continue working through make your snap function in strict mode and report back if you want to change your request from a request for classic to one of using personal-files.


#32

I’m sorry, I missed that you revoked this request and requested personal-files in Requesting auto-connection of personal-files to sam-cli. I’ll respond over there.


#33