Classic confinement for airtame-application


#1

Hello team,

Not long ago we started using snap packages for our Airtame desktop application (https://snapcraft.io/airtame-application/listing).

One of the key features of the Airtame desktop application is the possibility of setting up a new Airtame device (https://airtame.com/). This is done using the node-wifi module (https://github.com/friedrith/node-wifi) and it works as follows:

  1. the Airtame application periodically scans for new wifi networks.
  2. if a network matching a certain SSID name is discovered (airtame-oob-someextrastuff) we display it as un-configured device and let the user set it up.
  3. the setup consists in the application switching to the device networks, sending user settings and then resetting the network back to previews state.

All this is done using the node-wifi module mentioned above which depends on nmcli. My understanding from this thread (Access nmcli command from network-manager via interface) is that a user will have to manually connect to the network manager interface which is a big UX blocker for us and therefore we request the approval of classic confinement.

Cheers,
Elvis


#2

I don’t think that the requirement for manually connecting an interface is sufficient justification for classic. If your app works correctly when strictly confined with the network-manager interface connected then you should go that route. You can request for an automatic connection and depending on the justification the @reviewers will vote accordingly.


#3

Okay, fair enough.

Our issue here is that electron-builder is not as flexible when it comes to snaps but I managed to build the snap manually and I still don’t know exactly which is the right way to connect to the network-manager interfaces. Maybe you can help me with that. It also seems to be buggy (Access nmcli command from network-manager via interface)


#4

Here are the snap connections

elvis@elvis:~/airtame/airtame-app/snapcraft$ snap connections airtame-application
Interface Plug Slot Notes
browser-support airtame-application:browser-support :browser-support -
content[gnome-3-28-1804] airtame-application:gnome-3-28-1804 gnome-3-28-1804:gnome-3-28-1804 -
content[gtk-3-themes] airtame-application:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] airtame-application:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] airtame-application:sound-themes gtk-common-themes:sound-themes -
desktop airtame-application:desktop :desktop -
desktop-legacy airtame-application:desktop-legacy :desktop-legacy -
firewall-control airtame-application:firewall-control - -
gsettings airtame-application:gsettings :gsettings -
home airtame-application:home :home -
network airtame-application:network :network -
network-bind airtame-application:network-bind :network-bind -
network-control airtame-application:network-control :network-control manual
network-manager airtame-application:network-manager :network-manager manual
opengl airtame-application:opengl :opengl -
pulseaudio airtame-application:pulseaudio :pulseaudio -
unity7 airtame-application:unity7 :unity7 -
x11 airtame-application:x11 :x11 -


#5

It sounds like the ideal thing for your snap would be an auto-connection from your snap to the network-manager snap. I think this is technically doable, but as @daniel points out this would require approval from the reviewers.

Also note that your users can connect some interfaces through the Ubuntu Software Center / GNOME software / etc. but I’m unsure if this GUI allows connecting interfaces between two different snaps like this.


#6

Hi Daniel,

Having had a closer look at this thread (Access nmcli command from network-manager via interface) I found out that you guys are suggesting packaging nmcli inside the snap. I am wondering how packaging some binary (which in a later version might become incompatible with the network-manager service so this feels hackish) is better than having the snap in classic confinement. How is that insufficient justification for classic confinement?

If you guys are worried about security I think a better approach for classic confinement snaps would have been to have some type of manifest file (similar to a chrome extension one) where you require access to certain system binaries (nmcli in this case) so upon installing the snap the user would be informed that the application has access to the binary at hand.


#7

Snaps are free to ship whatever they need and through the use of interfaces, interact with various services/resources on the system. Granting classic grants your snap device ownership rather than simply access to network-manager.

One way you could achieve this is to use ‘stage-packages’ with ‘base: core’ (or omit ‘base’) in your snapcraft.yaml, which will give you the nmcli from Ubuntu 16.04 LTS, which should be older than the network-managers out there.