Snappy Confinement and AppArmor

Alexander Sack asac at
Wed Feb 25 14:34:24 UTC 2015

On Wed, Feb 25, 2015 at 10:37 AM, Mark Shuttleworth <mark at> wrote:
> On 23/02/15 11:17, Oliver Grawert wrote:
>> $SNAPP_APP_USER_DATA_PATH though beware ! if your app runs as root
>> this will be /root/apps/<pkgname>/ by default.
> Something in me is as allergic to /root/<app>/ as it is to
> /home/ubuntu/<app>.
> Would it make sense to make the home directory for the app point to
> /var/lib/apps/<package> when running as root? My rationale would be that
> anything which is running as a service and writing data that is not
> user-specific should be doing so in /var/lib/apps/<app>/. This is
> equally true for a service running as a non-root, but non-real user, to
> the extent we want to enable those.

Right now we have APP_DATA_PATH which points to exactly that place in
/var/lib/apps/APP/. This is where global services are supposed to put
their global data.

APP_USER_DATA_PATH is only supposed to be used for cases where an app
wants to store stuff that is specific to that user.

For users that have no login shell, we shouldn't set this at all.
Also, I believe it would make sense to not set this for services.

But if I log in as root and run an app interactively, then I kind
expect those apps to have a place to store stuff for me and I would
think having that place somewhere in $HOME makes sense.

So maybe the two things above will do the trick? e.g. not set USER
path for services and for binaries that are run as users without

> Mark
> --
> snappy-devel mailing list
> snappy-devel at
> Modify settings or unsubscribe at:

More information about the snappy-devel mailing list