Classic confinment request: pbtk

Hello,

I submit today a classic confinement request for the “pbtk” Snap, using the template:

• name: pbtk
• description: A toolset for reverse engineering and fuzzing Protobuf-based apps
• snapcraft: pbtk/snapcraft.yaml at master · marin-m/pbtk · GitHub
• upstream: GitHub - marin-m/pbtk: A toolset for reverse engineering and fuzzing Protobuf-based apps · GitHub
• upstream-relation: I am the maintainer and original author of the project
• supported-category: debug tools
• reasoning: This tool requires classic confinement to be fully functional because it instantiates Google Chrome and Chromium in instrumented mode, with the Chrome Websocket debugging API (used by known libraries such as Puppeteer, etc.) as a core feature (see https://github.com/marin-m/pbtk/blob/1.0.9/src/extractors/web_extract.py)

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

Note that snappy-debug can be used to identify possible required interfaces. See https://snapcraft.io/docs/debug-snaps for more information.

@reviewers @advocacy

Regards,

Hi @Marin

As far as I understood, the reasons provided do not quite fit classic confinement requirements. As per the policy, this falls under the following unsupported criteria:

dependent software only available on host (ship in instead snap (eg, stage-packages, build from source))

This can be tackled using one of the following two things:

1. Bundle chromium within the snap
2. User start the chromium application on the host and then snap connects to the port using network interface.

@shishirsub10 Thank you, regarding solution #1 do you know how I can make the Chromium binary exposed to my app? I tried just adding Chromium as a stage-snap and the binary is not visible into $PATH.

Or rather it can’t be instanced:

16:56:43:marin:~/pbtk$ snap run --shell pbtk
marin@zenbook-15:/home/marin/pbtk$ chromium-browser
/snap/pbtk/x1/usr/bin/chromium-browser: 70: exec: /snap/bin/chromium: Permission denied
marin@zenbook-15:/home/marin/pbtk$ /snap/bin/chromium
bash: /snap/bin/chromium: Permission denied
marin@zenbook-15:/home/marin/pbtk$ ls -l /snap/bin/chromium
lrwxrwxrwx 1 root root 13 Mar 18 16:54 /snap/bin/chromium -> /usr/bin/snap
marin@zenbook-15:/home/marin/pbtk$ /usr/bin/snap
bash: /usr/bin/snap: Permission denied
marin@zenbook-15:/home/marin/pbtk$ dbus-send --session --type=method_call --dest=io.snapcraft.Launcher /io/snapcraft/PrivilegedDesktopLauncher io.snapcraft.PrivilegedDesktopLauncher.OpenDesktopEntry "string:chromium-browser.desktop"
marin@zenbook-15:/home/marin/pbtk$ # ^ does nothing

I guess I will eventually move to another way of bundling chromium such as using puppeteer atop of all this

Hey @Marin

16:56:43:marin:~/pbtk$ snap run --shell pbtk
marin@zenbook-15:/home/marin/pbtk$ chromium-browser
/snap/pbtk/x1/usr/bin/chromium-browser: 70: exec: /snap/bin/chromium: Permission denied

This is trying to launch the chromium installation in your host, rather than the copy staged in the snap. Chromium could be launched from inside the snap with $SNAP/bin/chromium.launcher. However, I just realized that chromium itself needs a long list of permissions to work.

User start the chromium application on the host and then snap connects to the port using network interface.

I think this will be the cleanest solution in this case, and it should not be very complicated for the audience of this snap. If you are willing to give it a try, I’ll be happy to support you with issues that may arise as much as I can

Thanks!