I installed Riot snap and disabled the access to home dir, but when I try to attach a file from Riot, it still can access all dirs.
@popey any ideas?
What OS are you on? Can we please see the output of snap version?
Also, snap info riot-web.
snap version
snap 2.44.3+20.04
snapd 2.44.3+20.04
series 16
ubuntu 20.04
kernel 5.4.0-25-generic
snap info riot-web
name: riot-web
summary: Communicate the way you want with Riot
publisher: Alan Pope (popey)
store-url: https://snapcraft.io/riot-web
license: unset
description: |
Liberate your communication
Communicate the way you want with Riot - a universal secure chat app entirely under your control.
Riot supports video calling, but the `camera` interface is disabled by default. If you wish to
enable the camera in the Riot snap, after installation issue the following command in a terminal:
`snap connect riot-web:camera`
This snap is an unofficial package built with ❤️ from the upstream source code at
https://github.com/vector-im/riot-web/
commands:
- riot-web
snap-id: ppwbQJObqn9UBRDDB7IxbwoT3gaSUVHr
tracking: latest/stable
refresh-date: 21 days ago, at 11:56 CEST
channels:
latest/stable: 1.5.15 2020-04-01 (76) 69MB -
latest/candidate: ↑
latest/beta: 1.5.15 2020-04-01 (76) 69MB -
latest/edge: 1.6.0-rc.3 2020-04-17 (95) 69MB -
installed: 1.5.15 (76) 69MB -
ubuntu 20.04
snap version
snap 2.44.3+20.04
snapd 2.44.3+20.04
series 16
ubuntu 20.04
kernel 5.4.0-25-generic
Can you show somehow that it has access to home? What’s the effect?
I created a test file in /home/user/tmp/riottest and I was able to upload it from riot
What’s the output of snap connections riot-web?
snap connections riot-web
Interface Plug Slot Notes
audio-playback riot-web:audio-playback :audio-playback -
browser-support riot-web:browser-support :browser-support -
camera riot-web:camera - -
content[gnome-3-28-1804] riot-web:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -
content[gtk-3-themes] riot-web:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] riot-web:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] riot-web:sound-themes gtk-common-themes:sound-themes -
desktop riot-web:desktop - -
desktop-legacy riot-web:desktop-legacy - -
gsettings riot-web:gsettings :gsettings -
home riot-web:home - -
network riot-web:network :network -
opengl riot-web:opengl :opengl -
pulseaudio riot-web:pulseaudio - -
unity7 riot-web:unity7 :unity7 -
wayland riot-web:wayland :wayland -
x11 riot-web:x11 :x11 -
I can’t reproduce that here.
Touched a file in /home/alan/tmp/testfile
snap disconnect riot-web:home
Launched riot-web
Attach a file to the conversation
File dialog is greyed out, can’t see anything in home.
Are you sure that testfile is in home and not inside snap/riot-web/current or similar?
yeah pretty sure 
I’ll set up a fresh vmachine soon and try to reproduce.
BTW on this machine chrome and firefox also have home dir access disabled and it works as expected.
strange, on fresh vm it worked as it should. not sure how I could troubleshoot further on my laptop
Can you post the /var/lib/snapd/apparmor/profiles/snap.riot-web.riot-web file somewhere? Also, please post the output of snap debug sandbox-features.
ok here are some more details:
when snap disconnect riot-web:home
then /snap/bin/riot-web doesn’t start riot at all and no output in terminal,
the only way to start it is by /snap/riot-web/current/riot-web and then home dir is accessible.
I see this in syslog when I try /snap/bin/riot-web and access to home dir is disabled:
Apr 29 13:15:38 computer kernel: [ 952.843071] audit: type=1400 audit(1588158938.982:6370): apparmor="DENIED" operation="open" profile="snap.riot-web.riot-web" name="/home/user/Documents/" pid=29095 comm="head" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
I wonder why it tries to access home dir on start
snap debug sandbox-features
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
apparmor profile is huge, are you sure you need all of it?
hm, one more interesting thing is that if I log in as a fresh user on my laptop, everything works as expected
This bypasses all confinement and snap features. You effectively run this as yourself on your machine.
yes, I guess that was the case.
all in all, something is wrong with my account on my laptop. In order not to waste anyone’s time, I created a new account and everything works fine there