Classic confinement request for riseup-vpn


I’d like to request classic confinement for riseup-vpn.

RiseupVPN is a customized build of Bitmask. Bitmask is an application that provides easy-to-use VPN and Encrypted Email services, and it works with different providers that support the LEAP Platform.

RiseupVPN is shipping only the VPN parts of bitmask, it’s branded after one of the first and major LEAP providers, and it is pre-configured to connect to the VPN service provided by riseup without the need for registration. It ships the bitmaskd daemon, written in twisted python, and a systray written in golang.

The reason for classic confinement is that bitmask is using policykit for launching both openvpn and a privileged helper (that sets iptables rules for avoiding dns leaks) without asking for user password, and so far I didn’t find any other way of installing the polkit policy files and the needed bitmask-root helper in a path that polkit is aware of.

The helpers are put in place by the install hook (which is generated by the makefile), and removed after the uninstall. /usr/local/sbin/bitmask-root is a python script that is called first to set a fail-close firewall, and then to launch openvpn (the version of openvpn shipped with the snap will be used in this case). The polkit policy file, placed in /usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy references the path for the bitmask-root mentioned before.

A management interface with openvpn is open through a unix socket under a temporal folder (in /tmp). Communication between the daemon and the systray happens via zmq using unix sockets (under /var/tmp), and configuration files are written under the home of the user that launches the application (in ~/.config/leap). I started looking into moving all these files under the snap folders, but then I realized that I needed the classic confinement so that polkit could work.

I’ve read that in the future a new interface might be available to use polkit from within snaps with strict confinement, is there a channel other than this forum where we could get updates on the progress of that?

1 Like

Yes please. There are folks who need this application quite badly.

Apologies if this is not the place for this type of discussion. I know y’all are trying to get work done. I just think this is important and I am seconding this request.

It is, actually! @jdstrand mind taking a look at this?

I actually don’t handle classic approvals-- this is for the snap advocacy team (I simply try to gather requirements for classic from time to time).

@evan, @Wimpress, @popey - can one of you take a look at this?

Regarding polkit - yes, there isn’t a way for you to ship polkit files or for snapd to provide on behalf of your snap at this time. It is on the roadmap but the work is not prioritized at this time. Most everything else could be handled AFAICT with some modifications to the snap I think.

Hi. I am from Riseup. We are a non-profit that offers high quality, free services using all free software. There are hundreds of thousands of people who would be happy to use a donation-based Riseup VPN service… if we can get this app approved! Please let us know what we can do to move the process along.

Ping - @evan, @Wimpress, @popey - can one of you take a look at this?

Apologies for the delay. Currently it looks like classic confinement will be the best way to get this snap working, with a view to moving to strict confinement once we can support the features you need. I note that you’re hosting/building this on gitlab. Are you planning to automate builds into the store directly from there?

+1 for classic confinement.

You may also want to consider having aliases for the various commands contained within the snap, but it will work as is.

Granting classic. This is now live.

thanks @jdstrand !

Are you planning to automate builds into the store directly from there?

not for stable, for now we’ll upload releases manually, but we might consider pushing into edge. I didn’t know that was possible :slight_smile:

minor doubt: I just filled the “company” field in my profile, is there any chance that the organization name can appear in the store page for this snap instead of my developer name?

edit: looking in the forum, it seems changing ownership might be the way to go… could the owner be changed to the snap store user leapsnaps? thanks! (I can open a new thread if needed).