System-files request for Typora snap app

Dear @reviewers,

Typora allow users to run custom scripts for export files, or upload images, etc. So we want to have read and execute access to /usr/bin and /usr/local/bin, and therefore, added system-files plug for this purpose. Please review it.

The YAML file is at https://github.com/typora/typora-snap/blob/master/snap/snapcraft.yaml

Any other information needed, please let me known. Thanks in advance.

system-files does not provide execute access - so this is not possible. The only way to have a snap execute binaries already present on the host system is via classic confinement - however a snap must be granted an exception to use this via following the Process for reviewing classic confinement snaps - also note the there a number of downsides to using classic confinement as well:

  • classic snaps can be brittle since they run in the global mount namespace as opposed to the strict/devmode runtime environment whose rootfs is a base snap. While the snap is built with a base in mind, its binaries or environment variables are adjusted to point into the snap where the host’s filesystem is fully available, which can lead to problems cross-distro, running host commands with the environment variables set, etc
  • classic confinement is not available to Ubuntu Core and therefore the snap would be unavailable to all-snaps devices

Thanks for the reply.

system-files does not provide execute access - so this is not possible.

  • Do you have plans to support execute access for snap apps? I think that will be useful. And system-files already provide “write” access which would be even stronger than “execute” in some way.

users must specify --classic when using snap install to install a snap using classic confinement

  • If user install without --classic flag, does it mean the snap is successfully installed in non-classic mode? And what if we already have some users, can they upgrade to the classic mode version successfully?

well, nobody would ever grant you write access to /usr/bin, this is why the human review process exists :wink:

no, snapd will simply refuse to install this snap … classic is a build time thing, if a snap is built for classic the user needs to explicitly grant that full and insecure access at install time, this is why the switch exists …

Hi, so does snap community plans to support execute access for binaries in certain system location or whitelist? That will be useful.

And what if we already have some users, can they upgrade to the classic mode version successfully?

No there are no plans to support execute for existing binaries on the system - a snap instead should either ship the various binaries it requires or perhaps use the Process for reviewing classic confinement snaps to request classic confinement.

Because classic confinement removes all confinement from the snap, users will not be automatically upgraded to this version - instead they would have to manually refresh the snap snap refresh --classic typora or similar so they can opt-in to this reduction in security.

Hey @ilchenearly,

Did you check if Typora could ship the binaries it needs to execute and stay under strict confinement?

Thanks!

@ilchenearly - ping, can you please provide the requested information?

It would stay under confinement since making it classic seems complicated for end users.

@ilchenearly hey,

So iiuc this request can be closed. Is it there anything else that we can help with? Thanks!