Kiosk apps with xwayland-kiosk-launch needing an x11 slot that makes them go into manual review

ogra · April 12, 2019, 12:39pm

When packaging a new kiosk app that uses the xwayland launch helper for mir-kiosk, these apps always go into manual review and the reviewers team needs to do an initial bump to get them released …

during a discussion on IRC @jdstrand said he had an idea how to automate this process, this post is supposed to serve as a base to outline this idea …

jdstrand · April 12, 2019, 2:50pm

Right, I think we should adjust the base declaration to have this work something like the content snap.

Eg, today we have:

  x11:
    allow-installation:
      slot-snap-type:
        - app
        - core
    deny-connection:
      on-classic: false
    deny-auto-connection:
      on-classic: false

Perhaps this should be changed to (untested):

  x11:
    allow-installation:
      slot-snap-type:
        - app
        - core
    allow-connection:
      - on-classic: true
      - plug-publisher-id:
        - $SLOT_PUBLISHER_ID
    allow-auto-connection:
      - on-classic: true
      - plug-publisher-id:
        - $SLOT_PUBLISHER_ID

Ie, we use alternate constraints for auto-connection and connection such that we continue to auto-connect on classic, but we also allow auto-connect and and connect when the publisher is the same. With this, I can adjust the review-tools to be less strict about snaps that slots x11.

@pedronis - thoughts?

pedronis · September 27, 2019, 9:37am

@jdstrand If understand the reasoning is that any application from the author of the X server can talk to it. Anything bad they could do, the author could do it inside the server? is that the reasoning here?

jdstrand · September 30, 2019, 10:38pm

@pedronis - when I wrote this, there was the assumption that on classic, x11 would be an implicit classic interface where we want to continue to allow connect and auto-connect by default. For !classic, we do not want to connect and auto-connect without snap declaration because it would allow other snaps to connect to the providing snap’s X server, and then sniff, inject, etc, etc. The idea I had in April was to relax this on !classic to allow connect and auto-connect for any snaps from the same publisher. In this manner, kiosk developers are generally unblocked and we can always allow cross publisher connect/auto-connect via snap declarations.

Considering https://github.com/snapcore/snapd/pull/7417, we may want to adjust the above. That said, the PR is for wayland and this is for x11 and the change on its own is not unreasonable, so perhaps this change would be ok, and then adapted once the details of 7417 are worked out.