hey-mail is an email service, for which I’d like classic confinement approval. There are two areas that make it problematic to run in strict mode:
U2F key support: Even after adding and manually connecting the u2f-devices plug, I am not able to use a Yubikey when in strict mode. This works when the app has classic confinement. This is an essential feature for our security-focused email app.
Accessing all directories: When using the file picker, users expect to be able to access all parts of their filesystem to, say, attach a file to an email.
What GUI toolkit are you using for the file picker? If you’re using GTK or Qt, you might be able to use the XDG desktop portal to access any files. The files portal opens a native file chooser on the host system and whichever file the user chooses, the snap gets access to.
You can also use the portals dbus API directly, if it’s not supported in the toolkit, though that probably requires significant changes in the application.
If you look at how the yubioath-desktop snap is configured, it uses u2f-devices as you tried to do, but also raw-usb and hardware-observe. Maybe you can try with these interfaces?
raw-usb is kind of powerful/sensitive as it allows poking the usb bus but it should be preferrable / less sensitive than full classic confinement.
No, it doesn’t yet, though you might be able to work with the developer to get it merged. Afaik, they are looking for developers of electron apps to test it out.
This is the latest update from the Canonical team about that support; they went a slightly different route.
I see the u2f-devices part of this has been resolved - regarding accessing any file - this is not a sufficient use-case for granting classic confinement - for the vast majority of use-case, plugging the home and optionally removable-media interfaces should be sufficient.
It’s also worth noting that it will be much easier to test your application with strict confinement compared to classic confinement.
With a classic confinement snap, it can be difficult to ensure you don’t end up linking against libraries from the host system. This can lead to breakage on systems where those host libraries are incompatible with the systems you tested your snap on.
In contrast, a strict confined snap will see the same libraries on any system it is deployed to. It doesn’t completely eliminate the possibility of compatibility problems, but it greatly reduces it.
