Hi!
I belive that nsntrace needs classic confinement because it traces the network activity of applications, and we cannot know the confinement needs for arbitrary binaries being traced.
Review of nsntrace snap here: https://dashboard.snapcraft.io/snaps/nsntrace/revisions/1/review/
See more about nsntrace here: https://github.com/nsntrace/nsntrace
Thank you!
The nsntrace application runs arbitrary applications in a separate network namespace in order to trace the network activity of that application.
@review-team is there anymore information you need in order to make a decision?
Best regards
Jonas
Hey @jonasdn, apologize for the late response.
If you take a look at our Process for reviewing classic confinement snaps, the need to launch arbitrary applications is not generally considered a supported use-case for classic confinement. So unfortunately this request cannot proceed as it is. You could ship any application (e.g. stage-package) in your snap but I assume this is not a valid scenario given what you have explained. Can you please confirm?
Hi @emitorino, I think that nsntrace fits into the class of utilities such as compilers/IDE’s, similar to my application etrace which was granted classic confinement usage, as per Jamie’s logic:
most notably that the snap can’t reasonably do its analysis while running under a strict mode runtime (needs access to host files).
As such, I think nsntrace should be granted classic confinement
@ijohnson hmm that is an interesting data-point - our current guidelines for classic confinement list the following categories:
In this case, nsntrace doesn’t appear to fit into one of these categories. I was going to suggest that it perhaps could be seen as something like a tool for local, non-root user driven configuration of/switching to development workspaces/environments since it switches to a new network namespace / environment to run the application. However, when I try and run the nsntrace deb it wants root privileges - I assume the snap is the same. In this case, it fails the non-root user driven part of that category.
In regards to etrace I feel that perhaps this did not fit the existing categories for classic confinement and so I wonder if @pedronis could comment on whether we need an additional explicit category for Tracing / development tools that wrap existing host binaries since to me the concept of IDE/compiler is perhaps a bit too limiting to cover this.
well, should that perhaps be extended to “compilers and debug tools” (which a tracing tool most likely fits into) ?
Yes I think this would make for a nice succinct definition - @pedronis thoughts?
I think it’s fine to add a debug tools category with the following understanding:
Since we have agreed on extending the compilers supported categories to: “compilers and debug tools”, then the requirements are understood. @advocacy could you please proceed with the publisher vetting process?
Thanks!
I have updated the process doc with the above suggestion:
well, should that perhaps be extended to “compilers and debug tools” (which a tracing tool most likely fits into) ?
Please @reviewers, @pedronis take a look and let me know if you have any questions.
Thanks!
Thanks, I split them out in their own category though. We might have to clarify some recommendations for them that are not shared with compilers themselves.
@jonasdn does nsntrace have an official webpage (or is the GH page the official one)?
Hi!
The GitHub page is the official page!
Regards
Jonas
@Igor could you please perform publisher vetting since @jonasdn confirmed the GitHub page is the official site for nsntrace?
Sorry for the belated reply. +1 from me, I’ve checked and vetted the publisher.
Granting use of classic. This is now live. @jonasdn could you please either request a manual review or upload a new revision so review-tools can run automatically again and your snap can be published? Thanks!
