Snappy Confinement and AppArmor
Oliver Grawert
ogra at ubuntu.com
Wed Feb 25 14:38:21 UTC 2015
Am Mittwoch, den 25.02.2015, 11:37 +0200 schrieb Mark Shuttleworth:
> On 23/02/15 11:17, Oliver Grawert wrote:
> > $SNAPP_APP_USER_DATA_PATH though beware ! if your app runs as root
> > this will be /root/apps/<pkgname>/ by default.
>
> Something in me is as allergic to /root/<app>/ as it is to
> /home/ubuntu/<app>.
>
> Would it make sense to make the home directory for the app point to
> /var/lib/apps/<package> when running as root? My rationale would be that
> anything which is running as a service and writing data that is not
> user-specific should be doing so in /var/lib/apps/<app>/. This is
> equally true for a service running as a non-root, but non-real user, to
> the extent we want to enable those.
>
my understanding was that apps (specifically desktop and enduser apps)
would put their "dot dirs and files" for configs there. also an enduser
app has no access to /tmp at all thanks to confinement.
as i noticed with my vim package yesterday, i had to point TMPDIR to
SNAP_APP_USER_DATA_PATH to enable vim to write its .swp files for
recovery.
i guess we need *something* where the app can write user owned tmp files
but that indeed doesn't necessarily mean $HOME though ...
i think snaps with services (vs binary apps) do not create that dir at
all but have the environment var available (and usable if you mkdir from
the service start script).
ciao
oli
More information about the snappy-devel
mailing list