That's interesting, Simon. Good idea having available both $SNAP_DATA and /media. We'll do.
But now, let's back to original topic: chroot into snap. After solving the issue Thomas found related with the path of the document, I see now there are two operations not allowed in strict confinement: mknod and chroot. Here is what the snappy-debug.security log shows: = Seccomp = Time: Feb 10 12:31:31 Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=31983 comm="loolkit" exe="/snap/loolwsd/x16/usr/bin/loolforkit" sig=31 arch=c000003e 133(mknod) compat=0 ip=0x7f6a6d6450fd code=0x0 Syscall: mknod = Seccomp = Time: Feb 10 12:31:42 Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11048 comm="loolkit" exe="/snap/loolwsd/x17/usr/bin/loolforkit" sig=31 arch=c000003e 161(chroot) compat=0 ip=0x7fd0178dfb47 code=0x0 Syscall: chroot I've solved that by plugging docker-support and all works fine. But that interface gives a lot of permissions, and the name maybe is not the most accurate for a case like this. Shouldn't we have an interface allowing mknod, chroot and maybe ptrace for snaps creating their own chroot jails?. BR. On 10/02/17 11:34, Simon Fels wrote: > I think you have to support both as otherwise you may miss certain setups > of nextcloud. One may be configured to use $SNAP_DATA/$SNAP_COMMON to store > its data, another one may use /media/.. to do that. In the end there needs > to be some kind of communication happen between both snaps. > > Either the nextcloud snap shares the data directory via the content > interface, regardless where it is. However for that case I am not sure if > the security rules of the content interface would allow such a case > (effectively sharing /media to another snap via the content interface). > > The other way would be that the nextcloud snap somehow exposes a pointer > for the office snap where to look for its data and then it can either use > the path connected via the content or via the removable-media plug. > > regards, > Simon > > On Fri, Feb 10, 2017 at 9:48 AM, Roberto Mier Escandón < > roberto.escan...@canonical.com> wrote: > >> Ah, thanks. I'd better use content then. >> >> On 10/02/17 09:38, Simon Fels wrote: >>> On 10.02.2017 09:16, Roberto Mier Escandón wrote: >>>> I tried content sharing and works fine in this case, Nextcloud exposing >>>> a slot to its documents folder. I think I saw somewhere this is only >>>> valid for a 1-1 plug-slot, so that only 1 snap can use that slot at the >>>> same time. Is that correct? Can removable-media improve this? >>> >>> There can be multiple plugs using the slot. >>> >>> The removable-media interfaces allows access to the host /media >>> directory. That is everything. So unless nextcloud places its data files >>> there this doesn't help you. >>> >>> regards, >>> Simon >>> >>> >> >> -- >> Snapcraft mailing list >> Snapcraft@lists.snapcraft.io >> Modify settings or unsubscribe at: https://lists.ubuntu.com/ >> mailman/listinfo/snapcraft >> > > > -- Snapcraft mailing list Snapcraft@lists.snapcraft.io Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
