fwupd just switched from classic confinement to strict confinement. It needs a manual approval according to the upload.
Also it needs to be connected to the following interfaces automatically by the store.
It’s awesome to see fwupd switching to being strictly confined. In general since this is going from being unconfined to being confined, the vetting process is not really necessary, but for posterity I wanted to try and summarize my understanding of the uses of each of these interfaces (please correct me if I am wrong):
Since fwupd is designed to deliver firmware updates for a variety of hardware devices, it makes sense for it to be able access information regarding the hardware of the system (hardware-observe), bluetooth devices (bluez), disks (udisks2), LTE modems (modem-manager) and obviously to be able to slot fwupd. I am assuming upower-observe is to be able to detect if the system is running on battery or not? Finally for polkit - this allows fwupd to make use of polkit to check that users are appropriately authorized to perform the various privileged operations like updating device firmware.
+1 from me for use-of and auto-connect of these various interfaces, including the polkit interface with action-prefixorg.freedesktop.fwupd. I have gone ahead and granted these already since I don’t expect any of them to be controversial, given that the fwupd snap already has classic confinement override granted. If other @reviewers disagree, please comment below.
It’s awesome to see fwupd switching to being strictly confined
We have @valentind to thank for doing a lot of the hard work here to push it over this hurdle. Much appreciation!
Since fwupd is designed to deliver firmware updates for a variety of hardware devices, it makes sense for it to be able access information regarding the hardware of the system (hardware-observe), bluetooth devices (bluez), disks (udisks2), LTE modems (modem-manager) and obviously to be able to slot fwupd.
All sounds right.
I am assuming upower-observe is to be able to detect if the system is running on battery or not?
Not just on battery or not, but the battery level. Certain updates should only be offered when the battery is charged up enough.
Finally for polkit - this allows fwupd to make use of polkit to check that users are appropriately authorized to perform the various privileged operations like updating device firmware.