Classic confinement for Toggl Desktop

martinbriza · April 3, 2019, 3:01pm

Hello, I’d like to request classic confinement for Toggl Desktop (snap toggldesktop) as it requires running embedded Chromium engine that in turn requires accesss to /dev/shm. It also requires network, storage, display server and multiple DBus interface access. I have to admit though the Chromium is the main culprit why I’ve decided to go for classic confinement - I could not find information on how to handle that using plugs and I’ve found multiple Chromium-dependent apps using classic confinement for this reason.

popey · April 3, 2019, 3:08pm

Hi! Thanks for uploading the snap. If chromium is the component that’s causing issue, I’d recommend looking at the chromium snap, and using similar / same interfaces used by it, rather than classic. Here is the yaml used by some builds of that snap. Worth a look as I don’t think “other people use classic” and “I couldn’t work it out” are valid reasons for classic

$ snap interfaces chromium
Slot                            Plug
:browser-support                chromium:browser-sandbox
:camera                         chromium
:cups-control                   chromium
:desktop                        chromium
:gsettings                      chromium
:home                           chromium
:network                        chromium
:network-bind                   chromium
:opengl                         chromium
:pulseaudio                     chromium
:screen-inhibit-control         chromium
:u2f-devices                    chromium
:unity7                         chromium
:upower-observe                 chromium
:x11                            chromium
gtk-common-themes:gtk-3-themes  chromium
gtk-common-themes:icon-themes   chromium
gtk-common-themes:sound-themes  chromium
-                               chromium:mount-observe
-                               chromium:network-manager
-                               chromium:password-manager-service
-                               chromium:removable-media

jdstrand · April 5, 2019, 12:47pm

Yes, chromium and electron apps work fine using the browser-support interface which gives access to /dev/shm that is compatible with the chromium content api. You might also be interested in https://github.com/sergiusens/snapcraft-preload/ or other LD_PRELOAD techniques (not typically required for using the chromium content api).

martinbriza · April 5, 2019, 1:43pm

Yeah, even tough I have to admit popey’s answer didn’t make me happy at all, I went ahead and tried making it run in strict confinement once more (by copying stuff over from the Liri Browser) and it went through mostly fine. There is just one warning in the Snap store, about execstack, but I see it got manually approved, yay!