Snapd-control and access to /var/lib/snapd/snaps folder


I was trying to access /var/lib/snapd/snaps from with in a snap with snapd-control interface and was denied permission. Is there a way to access the snaps in that folder (may be with mount-observe interface )?


There is currently not a way to access these snaps in strict mode. Can you describe why your application needs access to them?

apologies for the delay, we need the access to verify md5 of our private snap (which is not yet in store) .

The store supports the concept of developer signatures which is the designed method for ensuring the snap is unchanged. Of course, a snap cannot itself verify that the contents haven’t changed. It is possible that we could allow:

/var/lib/snapd/snaps/@{SNAP_NAME}_*.snap r,

This should allow you to read the snap to verify/copy somewhere else. You will need to know the revision of your snaps though since we intentionally don’t allow 'r’ead on /var/lib/snapd/snaps/ since that would constitute an information leak on installed snaps and we try to avoid introducing these kinds of rules. Can you add the above to your apparmor profile in /var/lib/snapd/apparmor/profiles/snap.., then run sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.<your snap>.<your command> to load the change into the kernel, then report back if this works for you?

I forgot to mention that your snap can find this by looking at $SNAP_REVISION.

Thanks @jdstrand, adding the apparmor rule allowed the access to the /var/lib/snapd/snaps/*.snaps.

Ok, I’ll add the above rule to the default template in the next batch of updates.

Cool, thanks . Just for my clarification, so with these changes , a snap with snapd-control can read all the snaps in /var/lib/snaps/snaps folder or only itself and it’s revisions?

I was going to add to the default template the ability to read one’s one snap. snapd-control would be untouched.