As bower maintainer I’d like to release newest 1.8.8 version on snapcraft that fixes many security issues. Bower needs classic confinement because it needs to be able to modify filesystem in any paths, access cache folder, access git configuration etc. etd. Also previous version on snapcraft was not released by me and has been released in classic confinement. Currently I don’t have resources to figure out what are exact sandbox rules I should apply for Bower. Thank you!
EDIT:
I’ve published revision 5 of this release which installs bower directly from npm:
It seems that npmjs plugin adds bower itself as dependency in yarn.lock… which doubles packages size. Is there a way to avoid this? Is it a bug? My snapcraft.yaml:
name: bower
version: 1.8.8
summary: A package manager for the web
description: Bower offers a generic, unopinionated solution to the problem of front-end package management
base: core18
confinement: classic
grade: stable
parts:
bower:
plugin: nodejs
node-package-manager: yarn
node-packages:
- bower@1.8.8
stage-packages:
- openssl
- curl
- git
apps:
bower:
command: bin/bower
environment:
GIT_EXEC_PATH: $SNAP/usr/lib/git-core
This is not providing enough detail to understand why the snap might require classic. We have interfaces to allow use of git and cache folders. Typically home and removable-media is sufficient for snaps that run as non-root.
What does bower do and what are some representative use cases that require classic confinement?
What snap are you referring to? The ‘bower’ snap in the store currently is not allowed to use classic and I don’t see another request in the forum referencing a classic request for *bower*.
This is not a justification for classic confinement, but see above.
this is pretty weird then, 1.8.0 (stable) is in fact classic, how did it get that…:
$ snap info bower
name: bower
summary: A package manager for the web
publisher: Adam Stankiewicz (sheerun)
contact: https://github.com/bower/bower/issues
license: Other Open Source
description: |
Web sites are made of lots of things — frameworks, libraries, assets, and utilities.
Bower manages all these things for you.
snap-id: sqteCX7tnM1bxCX34c6Mt9DxxQJkpMS9
channels:
stable: 1.8.0 2017-05-17 (2) 13MB classic
candidate: ↑
beta: 1.8.8 2019-12-10 (3) 63MB devmode
edge: ↑
I don’t know. The snap has been published by some 3rd party person, then project has been transferred to me, and now I’d like to make official release with security fixes.
Looking at the past store reviews for this snap, it seems revision 2 was manually approved with classic confinement by a former employee (and with no additional comment left to specify why…). This was done before the current more formal approach around granting classic confinement was established.
@sheerun as @jdstrand asked above, can you please outline the reasons you believe bower requires classic confinement and is not able to run as a strictly confined snap?
This snap needs security fixes to be deployed and I don’t have time to research how should I configure strictly confined snap for Bower. If your former employee decided to release and approve this as classic confinement before, please allow to update it with security fixes without changing confinement. I can see two other options:
Hire some other employee on your side to research how to strictly confine Bower without causing issues for existing users
Take down snap from snapcraft because it’s not secure and has CVE to be fixed
@sheerun - we aren’t asking you to convert your snap to strict mode, we are asking you to describe your snap and typical use cases so they may be documented and we can either improve snapd or, as time allows, work with you on your snap.
I’m prepared to grant classic for a single revision of your snap to expedite the security fixes, but for this to pass automated reviews in the future, we need the additional information. Revision 7 is the latest revision in the store and is currently in the rejected state. Please either request via the store a manual review and we can approve this revision or upload a new revision and we can approve that one.
One-time pass is fine for me because it gives more time for proper migration.
It’s probably possible to make Bower strictly-confined, but I’d need to read lot of source code (or run it in multiple scenarios) to check which files it needs to read and write in filesystem, where it stores caches, which environment variables it uses etc. etd. I don’t think it can be done/described right now.
I just approved it, but you need to push it to a channel (eg, stable, edge, etc).
Whenever you get a chance to provide the requested information, we can discuss granting classic permanently or advising on issues you might have migrating to strict mode.
b) Allow for access for Bower configuration files:
Local .bowerrc located in the current working directory
All .bowerrc files upwards the directory tree
.bowerrc file located in user’s home folder ( ~ )
.bowerrc file located in the global folder ( / )
c) Allow access to git configuration (~/.gitignore ~/.gitconfig ~/.ssh) etc. because Bower can use git for fetching dependencies. The same for SVN configuration.
d) Allow access to environment variables like HTTP_PROXY, but also any other environment variables because they can be used in install scripts configured in .bowerrc
e) Allow write access to any directories in filesystem as bower_components install location can be freely configured in .bowerrc
f) Allow full access to ~/cache/bower
In short Bower needs full access to file system, full access to environment variables
I’d appreciate any help to enable all of these in strict confinement
This can be handled via The personal-files interface. Do not that $HOME is set to ~/snap/bower/<revision> and you have full access to anything in this directory, so you may not need personal-files at all for this.
Git can be via the personal-files interface, ssh via ssh-keys or ssh-public-keys.
The environment is preserved and with personal-files, you can access .bowerrc.
Typically using the home and removable-media interfaces is sufficient for things like this.
See above about $HOME and/or personal-files
When you’re ready to start looking into this more, I suggest reading https://snapcraft.io/docs/snap-confinement (along with other topics along the left). If you have trouble, please open a new forum topic under the ‘snapcraft’ category so the right people see your questions. You can also search this forum or ask questions in #snapcraft on IRC (Freenode). Good luck!
