Add support for confinement property

Should be resolved with: https://github.com/ubuntu-core/snapcraft/pull/501

How is this intended to be used? Does the resulting snap.yaml have anything that tells 'snap install' to put into --devmode? If so, I don't see how this doesn't reintroduce "unconfined" which is something Gustavo said should not be supported.

@jamie - The snap cannot instruct `snap install` to implicitly install itself in devmode. The user still has to use `snap install --devmode`.

> Does the resulting snap.yaml have anything that tells 'snap install' to put into --devmode?

Sort of-- it does indeed get the "confinement" property, but its purpose will be so the snap can say "Hey, I ONLY work if I'm in devmode" in which case the snap command can say "Hey, you're trying to install a snap that requires devmode. Try using --devmode" (just as an example).

Adding the review tool since it probably requires changes to handle this new property.

I worked on this last week. It is in yakkety, working through SRU in xenial and the store guys will pull it in this week.

Hello Kyle, or anyone else affected,

Accepted click-reviewers-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/click-reviewers-tools/0.43~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This bug was fixed in the package snapcraft - 2.9+16.10

---------------
snapcraft (2.9+16.10) yakkety; urgency=medium

  [ Leo Arias ]
  * autopkgtests: run the install examples tests in classic. (#481)
    (LP: #1572764)

  [ Matteo Bertini ]
  * Fix typo in description of the python3 example. (#504)

  [ Jamie Bennett ]
  * Documentation: Use plugs instead of caps. (#507)

  [ Chris Wayne ]
  * Add in bash completion. (#453) (LP: #1570506)

  [ Sergio Schvezov ]
  * Fail validation if plugs or slots are declared at the part level (#514)
    (LP: #1581166)

  [ Kyle Fazzari ]
  * Make pull and build steps dirty if target arch changes. (#450)
    (LP: #1564192)
  * Add support for the confinement property. (#501) (LP: #1580819)
  * Add support for the epoch property. (#502) (LP: #1581113)

 -- Sergio Schvezov <email address hidden> Tue, 24 May 2016 23:32:11 -0300

Hello Kyle, or anyone else affected,

Accepted snapcraft into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapcraft/2.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verified that 'confinement: strict' properly errors with 'plugs: [ network-control ]':
Errors
------
 - security-snap-v2:plug_safe:network-control:network-control
 reserved interface 'network-control' for vetted applications only

and that 'confinement: devmode' shows no error with 'plugs: [ network-control ]'

This bug was fixed in the package snapcraft - 2.9

---------------
snapcraft (2.9) xenial; urgency=medium

  [ Leo Arias ]
  * autopkgtests: run the install examples tests in classic. (#481)
    (LP: #1572764)

  [ Matteo Bertini ]
  * Fix typo in description of the python3 example. (#504)

  [ Jamie Bennett ]
  * Documentation: Use plugs instead of caps. (#507)

  [ Chris Wayne ]
  * Add in bash completion. (#453) (LP: #1570506)

  [ Sergio Schvezov ]
  * Fail validation if plugs or slots are declared at the part level (#514)
    (LP: #1581166)

  [ Kyle Fazzari ]
  * Make pull and build steps dirty if target arch changes. (#450)
    (LP: #1564192)
  * Add support for the confinement property. (#501) (LP: #1580819)
  * Add support for the epoch property. (#502) (LP: #1581113)

 -- Sergio Schvezov <email address hidden> Tue, 24 May 2016 23:32:11 -0300

The verification of the Stable Release Update for snapcraft has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package click-reviewers-tools - 0.43~14.04.1

---------------
click-reviewers-tools (0.43~14.04.1) xenial-proposed; urgency=medium

  [ Jamie Strandboge ]
  * sr_lint.py:
    - kernel snaps may have external symlinks
    - handle top-level plugs and slots with yaml data as 'null' (LP: #1579201)
    - add epoch checks (LP: #1583298)
    - .pyc are arch-independent, so don't complain about them
    - add confinement checks (LP: #1580819)
  * data/apparmor-easyprof-ubuntu.json:
    - add opengl interface as 'common' (LP: #1572140)
    - add reserved bluez, network-manager and location-observe interfaces
  * sr_security.py:
    - remove last reference to 'cap'
    - turn resquash test into info for now until the squashfs-tools bugs are
      fixed and this is a reliable check
  * when 'confinement' is 'devmode', override the result type to 'info'
    - common.py: add override_result_type to allow in support of 'confinement'
      overrides
    - sr_common.py: add _devmode_override()
    - sr_security.py: use override_result_type if in devmode
    - LP: #1584231

 -- Jamie Strandboge <email address hidden> Fri, 20 May 2016 16:06:55 -0500