Snapcraft.yaml permission and security policy

[Jamie Strandboge]

On Tue, 2016-02-09 at 22:14 +0700, Hunly Chheng wrote:
> Hi,
> 
> SInce I'm developing the snap app using the Go language based on
> Ubuntu
> Core 15.04 to access the bluetooth 4.0 device, Then I create the
> package.yaml for permission grant and security policy followed by
> snap
> guideline. So now I want to change to use the new snapcraft based on
> Ubuntu
> Core 16.xx. Could you please suggest me how to change those
> permission and
> security policy to new snapcraft.yaml and still be complied with the
> new
> snapcraft?
> 
There is some documentation for this, but it is very terse and there is
a bug[1] to fix this. I put in that bug steps to migrate. Also note
that the 'caps' available on 16.04 have changed and will likely change
again based on conversations regarding skills. Normally I would say to
use 'sudo snappy install snappy-debug && snappy-debug.security list -i'
to see what is available, but snappy is unable to find snappy-debug
atm[2].

To help unblock you, this is the current output (again, subject to
change):

$ snappy-debug.security list -i
...
 Templates: 
  default
  - Description: Allows access to app-specific directories and basic
runtime
  - Usage: common
  unconfined
  - Description: Allows unrestricted access to the system
  - Usage: reserved
 Caps: 
  container-management
  - Description: Can manage containers.
  - Usage: reserved
  desktop
  - Description: Can access non-hidden files in user's $HOME.
  - Usage: reserved
  display-server
  - Description: Can access the system as a display server.
  - Usage: reserved
  firewall-management
  - Description: Can configure firewall.
  - Usage: reserved
  locale-management
  - Description: Can manage locales directly separate from 'config
ubuntu-core'.
  - Usage: reserved
  mir-client
  - Description: Can access the Mir display server as a client
  - Usage: common
  - Usage to 'reserved' until we have seccomp arg filtering
implemented.
  network-client
  - Description: Can access the network as a client.
  - Usage: common
  network-listener
  - Description: Can access the network as a server.
  - Usage: common
  network-management
  - Description: Can configure networking.
  - Usage: reserved
  network-monitor
  - Description: Can query network status information.
  - Usage: reserved
  physical-memory-access
  - Description: Can access physical memory on the device.
  - Usage: reserved
  read-system-logs
  - Description: Can read system logs.
  - Usage: reserved
  snap-management
  - Description: Can use snapd.
  - Usage: reserved
  system-monitor
  - Description: Can query system status information.
  - Usage: reserved
  timeserver-management
  - Description: Can manage timeservers directly separate from config
ubuntu-core.
  - Usage: reserved
  timezone-management
  - Description: Can manage timezones directly separate from 'config
ubuntu-core'.
  - Usage: reserved
  unix-listener
  - Description: Can access the UNIX sockets as a server.
  - Usage: common
  update-schedule-management
  - Description: Can manage deferrals of snap updates.
  - Usage: reserved

[1]https://bugs.launchpad.net/snappy/+bug/1543220
[2]https://bugs.launchpad.net/snappy/+bug/1543731

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20160209/0d731f24/attachment.pgp>