/dev/shm, /var/tmp and confined snaps

Sergio Schvezov sergio.schvezov at canonical.com
Mon May 2 15:28:57 UTC 2016


I'm currently working on an electron based snap (which underneath uses
chromium) for vscode. After some debugging and tickling here and there I
have a nicely, almost, working snap.

One of the things preventing me from chanting out blind success is the
fact that for this to work straight out of the box (also read as sans
--devmode toggles) is the fact that I would need to patch chromium (the
one pulled in by vscode) to make this work.

This has got me thinking, and consider me a total ignorant to how
/dev/shm works, but wouldn't it be possible to somehow do the same thing
we do for /tmp with the ubuntu-core-launcher, that is, create a mount
for /dev/shm and while we are at it, one for /var/tmp?
This may or may not work.

The other idea danlging in my mind for /dev/shm was to have apparmor do
more work, and allow any file creation in /dev/shm, tag it while created
with the profile and only allow reading if it was "tagged" by the same
profile.

Would any of these work? I would consider it a big win if it allowed me
not to patch the world, specifically for these two things which don't
really require persisting data :-)

Cheers
Sergio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20160502/1ce212ae/attachment.pgp>


More information about the snappy-devel mailing list