Hello, I’d like to request classic confinement for Toggl Desktop (snap toggldesktop) as it requires running embedded Chromium engine that in turn requires accesss to /dev/shm. It also requires network, storage, display server and multiple DBus interface access. I have to admit though the Chromium is the main culprit why I’ve decided to go for classic confinement - I could not find information on how to handle that using plugs and I’ve found multiple Chromium-dependent apps using classic confinement for this reason.
Hi! Thanks for uploading the snap. If chromium is the component that’s causing issue, I’d recommend looking at the chromium snap, and using similar / same interfaces used by it, rather than classic. Here is the yaml used by some builds of that snap. Worth a look as I don’t think “other people use classic” and “I couldn’t work it out” are valid reasons for classic
$ snap interfaces chromium
Slot Plug
:browser-support chromium:browser-sandbox
:camera chromium
:cups-control chromium
:desktop chromium
:gsettings chromium
:home chromium
:network chromium
:network-bind chromium
:opengl chromium
:pulseaudio chromium
:screen-inhibit-control chromium
:u2f-devices chromium
:unity7 chromium
:upower-observe chromium
:x11 chromium
gtk-common-themes:gtk-3-themes chromium
gtk-common-themes:icon-themes chromium
gtk-common-themes:sound-themes chromium
- chromium:mount-observe
- chromium:network-manager
- chromium:password-manager-service
- chromium:removable-media
Yes, chromium and electron apps work fine using the browser-support interface which gives access to /dev/shm that is compatible with the chromium content api. You might also be interested in https://github.com/sergiusens/snapcraft-preload/ or other LD_PRELOAD techniques (not typically required for using the chromium content api).
Yeah, even tough I have to admit popey’s answer didn’t make me happy at all, I went ahead and tried making it run in strict confinement once more (by copying stuff over from the Liri Browser) and it went through mostly fine. There is just one warning in the Snap store, about execstack
, but I see it got manually approved, yay!