cannot use content interface with a snap in 'classic' confinement
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Canonical System Image |
Medium
|
Pat McGowan | ||
| | Snappy |
Medium
|
Jamie Strandboge | ||
| | Ubuntu Terminal App |
Undecided
|
Unassigned | ||
Bug Description
If a snap uses 'classic' confinement, adding 'platform' to the plugs makes the snap non installable.
When installing the following apparmor related error is displayed:
| Adam Stokes (adam-stokes) wrote : | #2 |
Seeing the same issue, this is the branch im working from:
https:/
It could be I'm just doing something wrong so any advice is much appreciated
| Changed in snapd (Ubuntu): | |
| status: | Incomplete → New |
| Jamie Strandboge (jdstrand) wrote : | #3 |
Adam, you are using 'confinement: classic' and therefore have no need for 'plugs'. If you remove your plugs lines, I believe your snap will work. You should only use 'plugs' with 'confinement: devmode' and 'confinement:
| Jamie Strandboge (jdstrand) wrote : | #4 |
Florian, the comment to Adam applies to you also, sort of. In general you do not want to use 'plugs' with a 'confinement: classic' snap, but I can see a case of using the 'content' interface with classic in certain situations. For this, the classic apparmor e'x'ec policy needs to make room for the content e'x'ec policy.
| Jamie Strandboge (jdstrand) wrote : | #5 |
Looking at this more, I think there is enough information to fix this issue, but Florian, please provide a reproducer.
| Changed in snapd (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| summary: |
- cannot use the platform plug with a snap in 'classic' confinement + cannot use content interface with a snap in 'classic' confinement |
| affects: | snapd (Ubuntu) → snappy |
| Changed in snappy: | |
| assignee: | Jamie Strandboge (jdstrand) → nobody |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Zygmunt Krynicki (zyga) wrote : | #6 |
I think the key thing to notice is that when "confinement: classic" is used we don't process any content interface rules. There is no sharing (no mounting) happening as that would bleed into the host and thus to all the snaps as well (since they share /snap from the host).
| Jamie Strandboge (jdstrand) wrote : | #7 |
@Zygmunt, based on this, it sounds like snapd should refuse any interface connections when using classic and it should be documented that if when using 'confinement: classic', you may not use plugs or slots. snapcraft and the review tools can error in this case.
| Changed in canonical-devices-system-image: | |
| assignee: | nobody → Pat McGowan (pat-mcgowan) |
| importance: | Undecided → Medium |
| milestone: | none → p2 |
| status: | New → Confirmed |
| tags: | added: personal |
| Changed in ubuntu-terminal-app: | |
| status: | New → Invalid |
| Marco Trevisan (Treviño) (3v1n0) wrote : | #8 |
This doesn't seem to be the case anymore, at least when using classic with plugs in order to reuse content...
Maybe this should be addressed now though: https:/
Can you provide a snap/snapcraft.yaml that displays the problem?