Hi, work is ongoing in snapd to add support for snaps to ship polkit files - https://github.com/snapcore/snapd/pull/10219 - does this look suitable for the use-case for calyx-vpn? My understanding is this is close to being finished so would be available in a snapd version in the not-too-distant future.
sounds like this would allow to drop the classic confinement, thanks; when that happens we’ll also see to change riseup-vpn to stop using classic then.
If you want to test out the new polkit interface, here are some quick instructions:
Switch over to the edge channel of snapd with:
snap refresh --edge snapd
This will switch to the in-development version of snapd featuring the interface. You can switch back to stable snapd afterwards by running the command again with --stable instead of --edge.
In your snapcraft.yaml file, define a polkit plug like so:
plugs:
polkit:
action-prefix: com.example.Foo
Change action-prefix to the prefix of the polkit actions your server uses. This is needed so snapd can check that your policy files only define or reference matching actions, and that if auto-connect is granted for the interface it is only for the declared prefix.
Have one of the parts in your project stage your polkit policy files with a name matching meta/polkit/polkit.*.policy.
Build your snap and then manually connect the polkit plug with sudo snap connect snap_name:polkit. If everything is working, you should see the policy file copies to /usr/share/polkit-a/actions, and named something like snap.snap_name.interface.polkit.*.policy. Your server should also be able to make CheckAuthorization calls to polkitd.
If everything works, you can make a request for the polkit interface on your snap to auto-connect, which should make everything work out of the box for your users. Note that this is a very new feature, and there aren’t yet fixed policies for such an auto-connect approval. Hopefully it won’t be too tricky though.
Hey @kalikaneko no worries. In the meantime, I am removing this request from our classic requests review queue. Feel free to write here again whenever you have an update and we can proceed with any request needed.