Snapcraft: Add a caveat for setpriv #93
Comments
akcano
changed the title
|
Hello, @akcano! I would like to help with this issue. I have already taken a look at the background and I was able to reproduce the removal of I wondered whether it would be worth providing readers with a possible workaround, for example an additional part that runs after Another option would be to update the override-prime: |
set -eux
# Set SNAPS to a space separated list comprising the name of the base snap
# and the name of each content snap that your snap is connected to
# (e.g. "core22 gtk-common-themes gnome-42-2204")
SNAPS="core22"
# Set WANTED to a space separated list comprising the name (without path) of
# each file that needs to be kept in the snap (e.g. "setpriv whoami")
WANTED="setpriv"
wanted_opts=""
for item in $WANTED; do wanted_opts+=" -not -name $item"; done
for snap in $SNAPS; do
cd "/snap/$snap/current" && find -L . -type f,l $wanted_opts -exec rm -f "$CRAFT_PRIME/{}" \;
doneI have a few other changes in mind (e.g. removing empty directories, broken symlinks and unnecessary files from $CRAFT_PRIME/usr/share) but I have left these out for now. What do you think? If you agree that it would be worth pursing, then I assume that it would be best for me to raise this on the Snapcraft forum - perhaps as a new thread for greater visibility - and allow some time for comments. I'm happy to keep working on this as needed. On a separate point, would also it be worth updating the System usernames page to refer to |
|
Hi @userMaximilian, Thank you for your participation! Step by step: Workaround for System usernames page: I would suggest opening a new CODA issue ticket for that in this repo, otherwise it's a great idea. Looking forward to your contributions! |
|
Thanks, @akcano! I will make a start on this shortly. |
|
Hi @akcano, As a quick update:
|
|
Hi, @userMaximilian ! Thanks for getting back with an update, much appreciated. I think there's no need for interim postings to avoid propagating potentially suboptimal solutions. |
|
Thanks, @akcano! I'll report again once I have any further updates - hopefully in the next week or two. |
|
Hi @akcano, This is just another brief update about the I haven't received any community feedback that specifically addresses the proposed workarounds/solutions mentioned in my forum post. The thread has been inactive for five weeks, so I doubt that I'm going to receive any further comments unless someone specifically searches for it. I also haven't received any responses to my bug report about enabling access to Given your earlier comment about wanting to "avoid propagating potentially suboptimal solutions", I think it might be worth waiting a bit longer to see what happens with the PR. What do you think? |
|
ETA: I suspect I am actually mistaken... I'll need to consult with Callahan but I guess overrides now set I like your suggestion to extend the base apparmor profile; this would save some of my snaps a lot of extra effort getting |
|
hi @userMaximilian ! sorry, took me a while. I'll ask around about the PR, thanks for bringing this to my attention. |
Update the following guides:
Reducing the size of desktop snaps (also, the in-page link to this anchor needs fixing)
System usernames
Background
The documentation suggests using the
cleanuppart, but does not fully warn about the potential problems of using it. For instance, when using setpriv, setpriv may end up being removed from a snap's prime even though it's a part of the core20 image. A similar issue was reported in the Snapcraft forum.Prerequisites
Familiarity with Snapcraft or snaps is needed to understand the content and test any conjectures. The documentation is Discourse-hosted, so some experience with Discourse is also a plus.
The text was updated successfully, but these errors were encountered: