The right way to to start another app inside same snap

Hello everyone. I’m currently working to create Snap package for our project:

Problem I have is that we have 3 apps in our Snap and they basically start each other. First you optionally start vcmilauncher then it’s start vcmiclient and when you start game client start vcmiserver. Obviously all server, client and launcher need own capabilities, but since we use QProcess or std::system started process it’s inherit AppArmor profile as well. Currently I just added all needed plugs for both server and client to vcmilauncher and what needed for the server to vcmiclient.

apps:
  vcmilauncher:
    command: desktop-launch $SNAP/game/vcmilauncher
    plugs:
      - unity7
      - network
      - opengl
      - x11
      # For client
      - pulseaudio
      - alsa
      # For server
      - network-bind
  vcmiclient:
    command: desktop-launch $SNAP/game/vcmiclient
    plugs:
      - network
      - opengl
      - pulseaudio
      - alsa
      - x11
      # For server
      - network-bind
  vcmiserver:
    command: desktop-launch $SNAP/game/vcmiserver
    plugs:
      - network
      - network-bind

Is there better way to handle this? I’ll really appreciate some advice. Thanks!

No, I think that’s really the best way at the moment. Each app may have its own permissions, and that’s better security-wise as you pointed out, but those are valid for the application itself and everything else that the application starts, so in the case of chaining the first application must have enough permissions for the second one to run.

We’ll likely revisit this at some point to allow further confinement, but that’s not in the roadmap at this time.

Thanks for reply!

I mainly ask since I worked with AppArmor in past and as far as I remember it’s possible to run child processes with their own profiles. I hope you’ll eventually improve this.