Strict confinement, content interface, and cross-snap exec

Earlier this week I had a discussion with @jdstrand regarding the topic of cross-snap execs via the content interface. He suggested that I should create a post on the forum to share the details with the others in the community.

Here’s my original question:

I just spent a good chunk of time searching the forum for a post which covered a topic which involved two strictly confined snaps, with one snap (call it ‘a’) trying to exec an application shared via content interface by the the second snap (call is ‘b’). My recollection was that you replied in the thread saying that although this might be technically possible, it would result in the application from snap ‘b’ running under snap 'a’s confinement policy, and this wasn’t recommended. Does this ring a bell?

I couldn’t find the specific post, so wanted to check back with you to see what the official line on this is. The documentation for the content interface on the forum seems to suggest that this is an acceptable use case.

His answer to me (with minor edits):

It does. I think it may be in an old defunct mailing list. All of the above wrt snap a running snap b’s executable under snap a’s profile is correct. As for the recommendation, it all depends on how the content interface is setup and requires coordination between snap a and snap b.

Eg, for every dynamically linked binary in snap b, snap b could also ship the supporting libraries and expose them via the content interface in addition to the binary. snap a either has to update it’s LD_LIBRARY_PATH accordingly (this is what the desktop snapcraft part does) or snap b must provide wrappers for all those binaries where snap a calls the wrappers.

As for security policy, the file accesses within the content snap are all ok (snap b’s content is bind mounted into snap a’s area), but the executables in snap b may require more permissions (ie, more connected interfaces) than snap a has. Eg, if snap b shipped nmcli (and did one of the two things above), then snap a would need the network-manager interface connected for it to work.