This is related to a question I had as well.  I have a program that uses
wxLaunchDefaultBrowser which, looking at its implementation, tries to make
the system call "exec()" to launch the default browser with a URL.

If snap programs are not allowed to start other processes, that's fine; but
if enough people need to launch the default browser with a URL, then I'm
sure a secure solution just for this could somehow be implemented for snaps.

I gather that one design goal of snaps, however, is the ability for people
to write programs for any environment, but also have them work as snaps so
that the programmer doesn't have to write snap-specific code, or make
snap-specific considerations in their code.  In other words, your code
should be "none-the-wiser" that it is running in the confined area.

So with that in mind, I'm not sure how to solve the problem.  Any secure
API exposed to snap applications already breaks the above design goal.

Of course, it's not unreasonable for my program to have "#ifdef WIN32" or
"#ifdef UNIX", and in the latter case, I may be looking to utilize
something in a standard unix environment which, I believe, is synthesized
in Unbuntu Core.  That's where I believe the snap environment can intercept
what an application is doing and provide a secure solution, and this may be
the "xdg-open" thing Otfried was talking about.


On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong <otfr...@ipe.airpost.net>
wrote:

> Hello,
>
> my app has a manual in html.  I normally show this using "xdg-open
> <url>", but from the snap this results in "xdg-open: Permission denied",
> leaving this log:
>
> [21249.231634] audit: type=1400 audit(1474273861.873:383):
> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
> denied_mask="x" fsuid=1000 ouid=0
>
> According to
> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
> this should work.
> I did refresh ubuntu-core from the beta channel and currently have
> revision 636 of ubuntu-core.
>
>
> Slightly related:  If I understand
> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
> correctly, the host filesystem should be exposed to the snap as
> /var/lib/snapd/hostfs in devmode?    It isn't on my system.
>
> Cheers,
>  Otfried
>
>
> --
> Snapcraft mailing list
> Snapcraft@lists.snapcraft.io
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/snapcraft
>
-- 
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/snapcraft

Reply via email to