Enabling strict confinement on a devmode snap

kedstar991 · June 25, 2019, 11:20am

Hi,
I currently build my own snap version of thunderbird based on the one produced by Ken Vandine. This is to basically make sure it’s updated with the latest security fixes.

Recently I noticed that the devmode flag basically doesn’t enforce the confinement but simply reports confinement breaks. I understand that this is to encourage publishing to the snap store and to avoid installing snaps manually. Is there a way of installing my snap manually with confinement enforced?

Kind regards,
Krish

ogra · June 25, 2019, 11:29am

if you do not install it with --devmode on the commandline, it will behave like any other strict snap from the store, if it is an actual devmode snap (i.e. built with devmode set in teh snapcraft.yaml) you can force confinement with the --jailmode option at install time…

kedstar991 · June 25, 2019, 11:31am

Those only work if you can sign the snap otherwise it complains about ‘error: cannot find signatures with metadata for snap’.

That is with jailmode.

I don’t want to base it against the ‘signed’ version from the store as that is one from a different user and outdated. I just want to install my snap manually offline but still benefit from the snap confinement.

ogra · June 25, 2019, 11:50am

well, just make sure to have:

confinement: strict
grade: stable

… in your snapcraft.yaml

that should be enough to run with full confinement, signed or not …

chipaca · June 25, 2019, 1:27pm

you’re confusing --devmode, which is about confinement, and --dangerous, which is about signatures. Granted, --devmode implies --dangerous.

kedstar991 · June 25, 2019, 6:39pm

I have only been using grade: stable the whole time.

If I try sudo snap install thunderbird.snap --jailmode
error: cannot find signatures with metadata for snap “thunderbird.snap”

If I try sudo snap install thunderbird.snap --stable
error: cannot find signatures with metadata for snap “thunderbird.snap”

If I try sudo snap install thunderbird.snap --devmode --jailmode I get.
error: cannot use devmode and jailmode flags together

If I try sudo snap install thunderbird.snap --dangerous --jailmode
It installs but the following attributes are set
notes:
private: false
confinement: strict
devmode: false
jailmode: false
trymode: false
enabled: true
broken: false
ignore-validation: false

sudo snap install thunderbird.snap --devmode produces the same attributes.

This is the head of my snapcraft.yaml file.
name: thunderbird
version: 60.7.2
summary: Mozilla Thunderbird email application
description: Thunderbird is a free email application that’s easy to set up and customize - and it’s loaded with great features!
confinement: strict
grade: stable
base: core18

Do you have any ideas how to fix this?

ogra · June 25, 2019, 6:46pm

this looks perfectly fine to me …

kedstar991 · June 25, 2019, 7:08pm

Sorry, just tried it and now the confinement seems to work. Thanks for your help.

I think I was kind of expecting with that last one that jailmode would be set to true.