Comment 6 for bug 1910456
Revision history for this message
| Ian Johnson (anonymouse67) wrote Re: container management snaps should have Delegates=true in their systemd unit | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
> I'll mention that system-files could be used in a manner to require Delegate=true if using 'write' with affected directories.
Do you know of any such usages currently in the field? If so, we should think about how to handle those cases, because we can't really add Delegate=true for all system-files usages, and inspecting which system-files are vulnerable is probably rather difficult.
If there are no such usages in the field, perhaps we should just update the docs around granting system-files to not allow snaps to use system-files with those interfaces without first deciding about what snapd should do about using Delegate=true in that case. Perhaps the system-files interface could gain an attribute to reflect this or something like that.