Access to other commands
Zygmunt Krynicki
zygmunt.krynicki at canonical.com
Thu Sep 15 12:00:48 UTC 2016
> On 15 Sep 2016, at 01:43, Leo Arias <leo.arias at canonical.com> wrote:
>
> On 2016-09-07 19:31, Mark Shuttleworth wrote:
>>> 1) Is there some way I can be specifying a list of commands my snapped
>>>> app is allowed to call?
>> You could. But I think there is a class of things that should be allowed
>> to integrate with the classic shell environment, which means they can
>> shell out to lots of things.
>
> What about --devmode? Should devmode allow calls to all binaries in the
> $PATH?
As discussed a few times this is technically challenging to do.
All of “classic” is visible from /var/lib/snapd/hostfs/ but there is no guarantee that you can run them in any way. They may require the classic dynamic linker, the classic runtime libraries and the classic filesystem layout that are all lost when snap-confine sets up the execution environment. If there’s desire to run executables from the outside we could look for solutions but this is not as simple as “just use devmode”
Thanks
ZK
More information about the Snapcraft
mailing list