On 1 March 2017 at 07:13, Michi Henning <michi.henn...@canonical.com> wrote:
>
>> Upon further thinking, I believe that I did not have to use a fresh
>> LXD container, because the "strict" confinement would preclude anyway
>> the snap from using any of my desktop's existing system libraries.
>> Isn't that indeed the case?
>
> I don’ think so. System libraries are visible even with strict confinement,
> as far as I know.
That's not true. When a command or daemon in a strict mode snap gets
executed, it runs in a different mount namespace where the file system
root is the contents of the "core" snap. You can verify this by
executing the following:
snap run --shell command_name
.. and use that shell to inspect the file system as seen by that
particular command.
James.
--
Snapcraft mailing list
Snapcraft@lists.snapcraft.io
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snapcraft
