I recently pushed to the store the first version of the Yandex browser snap and I have got the following:
- human review required due to 'allow-installation' constraint (bool)
- package contains external symlinks: etc/cron.daily/yandex-browser -> /opt/yandex/browser/cron/yandex-browser, usr/bin/yandex-browser-stable -> /opt/yandex/browser/yandex-browser
- found errors in file output: unusual mode 'rwsr-xr-x' for entry './opt/yandex/browser/yandex_browser-sandbox'
I managed to remove the symlinks. Since I did not find a way to keep the yandex_browser-sandbox that requires the suid flag, I removed this binary as well.
I think the next step to release the snap is to also solve the human review required due to 'allow-installation' constraint (bool) declaration-snap-v2_plugs_installation (yandex-browser, steam-support)
steam-support is a super-priveleged interface intended specifically to help Valve’s Steam client configure pressure-vessel containers. Thus, its use is not typically granted to snaps other than steam itself.
Unless Yandex browser really needs to configure pressure-vessel container for some reason, I would suggest you to find the right interfaces that grant the minimum permissions required by your snap to run. That would make more obvious for us and for the users what is Yandex brower allowed to do.
Thank you for your suggestion.
I read through the documentation and it also struck me as odd that the app only works when the steam-support interface is connected.
I added it to my snapcraft.yaml because of this suggestion from snappy-debug:
= AppArmor =
Time: Jan 15 09:28:43
Log: apparmor="DENIED" operation="open" profile="snap.yandex-browser.yandex-browser" name="/proc/28461/setgroups" pid=28461 comm="yandex_browser" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
File: /proc/28461/setgroups (write)
Suggestions:
* adjust program to not access '@{PROC}/@{pid}/setgroups'
* add 'steam-support' to 'plugs'
If I’m right browser-support grants read/write access to @{PROC}/@{pid}/setgroups what should prevent this apparmor denial. Could you please confirm that browser-support interface is properly connected (snap connections <snap-name>)?
You should be able to connect it by issuing snap connect <snap-name>:browser-support
I just tried running the app with the --no-sandbox option, and it works. I could probably add a wrapper to start the app with this flag by default, but I think this might have some drawbacks in terms of security.
My feeling is that running the app with the --no-sandbox option would be better than using the steam-support interface (as the snap confinement should do the work here). However, I still think that it should be possible to make the application to run normally by adding the required interfaces (there are many browsers in the store already).
Similar to all other electron apps it typically does not harm any security, your snap already runs in a hardened sandbox so you do not additionally need the electron sandbox, they would just stack up otherwise and you do not need two sandboxes inside each other …
@drcoccodrillus since the snap does not need steam-support, I am removing this request from our review queue. Feel free to write again or create a new topic if it requires further accesses in the future. Thanks!
Now the app starts with the