Classic -> strict fwupd

fwupd just switched from classic confinement to strict confinement. It needs a manual approval according to the upload. Also it needs to be connected to the following interfaces automatically by the store.

sudo snap connect fwupd:bluez
sudo snap connect fwupd:fwupdmgr fwupd:fwupd
sudo snap connect fwupd:hardware-observe
sudo snap connect fwupd:modem-manager
sudo snap connect fwupd:polkit
sudo snap connect fwupd:udisks2
sudo snap connect fwupd:upower-observe
1 Like

hey @superm1 :slight_smile:

It’s awesome to see fwupd switching to being strictly confined. In general since this is going from being unconfined to being confined, the vetting process is not really necessary, but for posterity I wanted to try and summarize my understanding of the uses of each of these interfaces (please correct me if I am wrong):

Since fwupd is designed to deliver firmware updates for a variety of hardware devices, it makes sense for it to be able access information regarding the hardware of the system (hardware-observe), bluetooth devices (bluez), disks (udisks2), LTE modems (modem-manager) and obviously to be able to slot fwupd. I am assuming upower-observe is to be able to detect if the system is running on battery or not? Finally for polkit - this allows fwupd to make use of polkit to check that users are appropriately authorized to perform the various privileged operations like updating device firmware.

+1 from me for use-of and auto-connect of these various interfaces, including the polkit interface with action-prefix org.freedesktop.fwupd. I have gone ahead and granted these already since I don’t expect any of them to be controversial, given that the fwupd snap already has classic confinement override granted. If other @reviewers disagree, please comment below.

It’s awesome to see fwupd switching to being strictly confined

We have @valentind to thank for doing a lot of the hard work here to push it over this hurdle. Much appreciation!

Since fwupd is designed to deliver firmware updates for a variety of hardware devices, it makes sense for it to be able access information regarding the hardware of the system (hardware-observe), bluetooth devices (bluez), disks (udisks2), LTE modems (modem-manager) and obviously to be able to slot fwupd.

All sounds right.

I am assuming upower-observe is to be able to detect if the system is running on battery or not?

Not just on battery or not, but the battery level. Certain updates should only be offered when the battery is charged up enough.

Finally for polkit - this allows fwupd to make use of polkit to check that users are appropriately authorized to perform the various privileged operations like updating device firmware.

Yep.

1 Like

Excellent - thanks indeed @valentind :pray:

Great news! And +1 from me for the auto-connect of these interfaces too

+1 from me on all of the auto-connect requests, as well.