Support snap installed completion scripts
Bug #1590767 reported by
Martin Lund
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snapcraft |
Fix Released
|
Wishlist
|
Sergio Schvezov | ||
snapd |
Fix Released
|
High
|
John Lenton |
Bug Description
I have just published a new snap named "tio" which includes a bash completion script but the completion script is not picked up on and enabled by the system once installed.
The completion script gets installed in /snap/tio/
This of course differs from the conventional install location and hence the script is not sourced.
How do we safely enable sourcing of snap installed bash completion scripts?
tags: | added: snapd-interface |
Changed in snappy: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
tags: | added: isv |
affects: | snappy → snapd |
Changed in snapd: | |
status: | Confirmed → In Progress |
importance: | Wishlist → High |
assignee: | nobody → John Lenton (chipaca) |
Changed in snapcraft: | |
assignee: | nobody → Sergio Schvezov (sergiusens) |
milestone: | none → 2.33 |
status: | Triaged → In Progress |
Changed in snapcraft: | |
status: | In Progress → Fix Committed |
Changed in snapcraft: | |
status: | Fix Committed → Fix Released |
Changed in snapd: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
This is a very interesting problem since the supplied completion script is a *script* that runs in the user's unconfined login session. Automated reviews I don't think would be possible store side and so I think the only way to pull this off would be to somehow run the script itself confined. Confining scripts is tricky though since the 'source' command only requires 'r'ead on the file and not e'x'ecute.
OTOH, it might be worth exploring if the completion scripts were installed (or symlinked, etc) into /var/lib/ snapd/bash- completion (or something), modify bash to fork/exec a helper (eg, snap-completion) that runs under strict confinement and feeds back the strings to bash. I'm not familiar with the internals of how bash performs completion, but something along these lines should provide the desired security. Of course open to other suggestions (especially from someone more knowledgeable in bash completion :).