The reasons for needing classic are the same ones as were for riseup-vpn: dropping a polkit file to allow elevated privilege when running openvpn.
Hi, work is ongoing in snapd to add support for snaps to ship polkit files - https://github.com/snapcore/snapd/pull/10219 - does this look suitable for the use-case for
calyx-vpn? My understanding is this is close to being finished so would be available in a snapd version in the not-too-distant future.
@jamesh do you know how far off this might be?
sounds like this would allow to drop the classic confinement, thanks; when that happens we’ll also see to change riseup-vpn to stop using classic then.
If you want to test out the new polkit interface, here are some quick instructions:
- Switch over to the edge channel of snapd with:
This will switch to the in-development version of snapd featuring the interface. You can switch back to stable snapd afterwards by running the command again with
snap refresh --edge snapd
- In your
snapcraft.yamlfile, define a polkit plug like so:
plugs: polkit: action-prefix: com.example.Foo
action-prefixto the prefix of the polkit actions your server uses. This is needed so snapd can check that your policy files only define or reference matching actions, and that if auto-connect is granted for the interface it is only for the declared prefix.
- Have one of the parts in your project stage your polkit policy files with a name matching
- Build your snap and then manually connect the
sudo snap connect snap_name:polkit. If everything is working, you should see the policy file copies to
/usr/share/polkit-a/actions, and named something like
snap.snap_name.interface.polkit.*.policy. Your server should also be able to make CheckAuthorization calls to polkitd.
If everything works, you can make a request for the polkit interface on your snap to auto-connect, which should make everything work out of the box for your users. Note that this is a very new feature, and there aren’t yet fixed policies for such an auto-connect approval. Hopefully it won’t be too tricky though.
Did you have a chance to test the new polkit interface?
I haven’t yet, sorry
it’s a transitioning period at the team that maintains this, so it probably will take a few weeks before someone can move on adapting the package.
but thanks for the reminder, I’ll try a hello-world with polkit and at least document the needed changes on our side
Hey @kalikaneko no worries. In the meantime, I am removing this request from our classic requests review queue. Feel free to write here again whenever you have an update and we can proceed with any request needed.