fix(snap): use bundled ssh client under strict confinement

alexclewontin · alexclewontin · commit 4cdaf3ca6e9b · 2026-05-26T13:30:09.000-04:00
Strict snap sandbox connect/create shells were still trying to exec the host OpenSSH binary.

Observed failure:
- `apparmor="DENIED" operation="exec" class="file" profile="snap.openshell.openshell" name="/usr/bin/ssh" requested_mask="x" denied_mask="x"`

Bundle `openssh-client` in the snap so the CLI uses the bundled binary under strict confinement.

Signed-off-by: Alex Lewontin &lt;alex.lewontin@canonical.com&gt;
diff --git a/python/openshell/release_formula_test.py b/python/openshell/release_formula_test.py
@@ -143,6 +143,7 @@ def test_snap_cli_sets_system_gateway_dir_via_app_env() -> None:
 
     assert "command: bin/openshell" in snapcraft
     assert 'OPENSHELL_SYSTEM_GATEWAY_DIR: "$SNAP_COMMON/system-gateways"' in snapcraft
+    assert "- openssh-client" in snapcraft
 
 
 def test_rpm_spec_uses_gateway_defaults_without_config_helper() -> None:
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -81,6 +81,7 @@ parts:
       - e2fsprogs
       - iproute2
       - nftables
+      - openssh-client
     override-pull: |
       craftctl default
       craftctl set version="$(python3 "$CRAFT_PROJECT_DIR/tasks/scripts/release.py" get-version --snap)"
