Classic confinement request: calyx-vpn

kalikaneko · December 20, 2021, 9:03pm

Hi! I’d like to request classic for calyx-vpn. This is a branding of https://github.com/leapcode/bitmask-vpn made for The Calyx Institute, made by LEAP.

The reasons for needing classic are the same ones as were for riseup-vpn: dropping a polkit file to allow elevated privilege when running openvpn.

alexmurray · January 5, 2022, 6:13am

Hi, work is ongoing in snapd to add support for snaps to ship polkit files - https://github.com/snapcore/snapd/pull/10219 - does this look suitable for the use-case for calyx-vpn? My understanding is this is close to being finished so would be available in a snapd version in the not-too-distant future.

@jamesh do you know how far off this might be?

kalikaneko · January 5, 2022, 10:28am

sounds like this would allow to drop the classic confinement, thanks; when that happens we’ll also see to change riseup-vpn to stop using classic then.

emitorino · January 13, 2022, 7:11pm

@kalikaneko I see the https://github.com/snapcore/snapd/pull/10219 has been merged. Whenever possible let us know if this works for calyx-vpn so we can remove this request from our review-queue.

Thanks!

jamesh · January 19, 2022, 9:39am

If you want to test out the new polkit interface, here are some quick instructions:

Switch over to the edge channel of snapd with:
```
snap refresh --edge snapd
```
This will switch to the in-development version of snapd featuring the interface. You can switch back to stable snapd afterwards by running the command again with --stable instead of --edge.
In your snapcraft.yaml file, define a polkit plug like so:
```
plugs:
  polkit:
    action-prefix: com.example.Foo
```
Change action-prefix to the prefix of the polkit actions your server uses. This is needed so snapd can check that your policy files only define or reference matching actions, and that if auto-connect is granted for the interface it is only for the declared prefix.
Have one of the parts in your project stage your polkit policy files with a name matching meta/polkit/polkit.*.policy.
Build your snap and then manually connect the polkit plug with sudo snap connect snap_name:polkit. If everything is working, you should see the policy file copies to /usr/share/polkit-a/actions, and named something like snap.snap_name.interface.polkit.*.policy. Your server should also be able to make CheckAuthorization calls to polkitd.

If everything works, you can make a request for the polkit interface on your snap to auto-connect, which should make everything work out of the box for your users. Note that this is a very new feature, and there aren’t yet fixed policies for such an auto-connect approval. Hopefully it won’t be too tricky though.

emitorino · February 2, 2022, 8:25pm

Hey @kalikaneko,

Did you have a chance to test the new polkit interface?

Thanks!

kalikaneko · February 4, 2022, 2:09pm

I haven’t yet, sorry

it’s a transitioning period at the team that maintains this, so it probably will take a few weeks before someone can move on adapting the package.

but thanks for the reminder, I’ll try a hello-world with polkit and at least document the needed changes on our side

emitorino · February 4, 2022, 6:22pm

Hey @kalikaneko no worries. In the meantime, I am removing this request from our classic requests review queue. Feel free to write here again whenever you have an update and we can proceed with any request needed.

Thanks!