However, due to the fact I use extensions: [gnome] in snapcraft.yaml, as soon as I change confinement: strict to confinement: classic I’ll get the following error:
snapcraft
Extension 'gnome' does not support confinement 'classic'
Full execution log: '/home/ahodzic/.local/state/snapcraft/log/snapcraft-20230828-201048.785188.log'
Hence, could you please advise me how can I switch to classic confinement with GNOME or have ability not to run into pkexec: not found error while using strict confinement.
you can not … classic snaps can not use extensions at runtime and can not use interfaces (not 100% sure about layouts (i dont touch classic, it is too hard to package) but i think you can not use them either) …
also note that classic means you need to make very sure the two environments (host and base snap) never leak into each other, so there is a lot of fiddling with the environment involved …
and last, it is very unlikely you will get classic granted for this snap so you will not be able to release it through the store … (it must fit into one of the supported categories here: Process for reviewing classic confinement snaps)
@alan_g
Hello! I am also involved in this project and came to comment on what I know
I encountered this error before when researching how to use pkexec in a Snap. I’ve never encountered this error outside of a Snap so I do believe it is related to Snap’s sandboxing.
The GUI we’ve created has some actions that require privilege escalation, so we’re using pkexec to prompt the user for this, similar to software like GParted. I have found almost nothing online about how to fix this issue
@shadeyg56 I’ve no experience of using PolicyKit from a snap but imagine that it needs some dbus(?) interface plugged so that it can communicate with the desktop agent.
@alan_g Ok I checked out the link you sent and used snappy_debug and it doesn’t report any missing plugs
As far as I can tell, pkexec needs certain permissions that are not available in the snap. I tried using sudo chmod 04755 /snap/auto-cpufreq//x6/usr/bin/pkexec as somebody recommended in another thread but it doesn’t work since the snap is read-only.
It seems like snap and pkexec just don’t play together well at all. I’m mostly surprised that nobody else has reported this before, as I find it hard to believe that I am the first person to try to use pkexec in a snap package
@alan_g also to add, once .snap is built I install it using --devmode which won’t enforce any security policies and need for any additional plugs wouldn’t be a problem at this point.
It seems to be a problem with snap package which neither I or @shadeyg56 can’t figure out at this point.
Hence any additional help from you or anyone else from Canonical side would be great, thanks!
As I stated previously, I thought when I install built .snap file using --devmode it wouldn’t enforce any security policies so any potential missing plugs wouldn’t be a problem at this point?
Regardless, I added both packagekit-control and packagekit-svc plugs, but then I would get a warning:
sudo snap install auto-cpufreq_2.0_amd64.snap --devmode
2023-09-01T08:52:44+02:00 INFO snap "auto-cpufreq" has bad plugs or slots: packagekit-svc (unknown interface "packagekit-svc")
2023-09-01T08:52:49+02:00 INFO snap "auto-cpufreq" has bad plugs or slots: packagekit-svc (unknown interface "packagekit-svc")
auto-cpufreq 2.0 installed
WARNING: There is 1 new warning. See 'snap warnings'.
Hence I removed packagekit-svc from plugs (kept packagekit-control ) and current snapcraft.yaml contents are as follows:
name: auto-cpufreq
base: core22
summary: Automatic CPU speed & power optimizer for Linux
description: |
Automatic CPU speed & power optimizer for Linux based on active
monitoring of laptop's battery state, CPU usage and system load.
Ultimately allowing you to improve battery life without making
any compromises.
license: LGPL-3.0
grade: stable
confinement: strict
adopt-info: auto-cpufreq
compression: lzo
parts:
auto-cpufreq:
plugin: python
python-packages:
- setuptools
- wheel
- requests
build-packages:
- gcc
- python3-dev
stage-packages:
- coreutils
- dmidecode
- pkexec
source: .
override-pull: |
snapcraftctl pull
snapcraftctl set-version `grep ^VERSION $SNAPCRAFT_PART_SRC/setup.py | sed 's/.*"\(.*\)"/\1/'`
deploy-scripts:
plugin: dump
source: scripts
organize:
cpufreqctl.sh: usr/bin/cpufreqctl.auto-cpufreq
snapdaemon.sh: usr/bin/snapdaemon
copy-image:
plugin: dump
source: images
plugs:
etc-auto-cpufreq-conf:
interface: system-files
write:
- /etc/auto-cpufreq.conf
apps:
auto-cpufreq:
command: bin/auto-cpufreq
environment:
PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
plugs:
- cpu-control
- system-observe
- hardware-observe
- etc-auto-cpufreq-conf
auto-cpufreq-gtk:
command: bin/auto-cpufreq-gtk
extensions: [gnome]
environment:
PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
plugs:
- cpu-control
- system-observe
- hardware-observe
- desktop
- desktop-legacy
- wayland
- x11
- packagekit-control
service:
command: usr/bin/snapdaemon
plugs:
- cpu-control
- system-observe
- hardware-observe
environment:
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
daemon: simple
However, I still get the same error when I try to install the daemon: The following error occured: /bin/sh: 1: pkexec: not found. Again, I’m still baffled by what is missing or what the problem is exactly.
I also pushed this latest built snap to auto-cpufreq beta channel hoping it could give you more insight, but it was also flagged for human review:
snapcraft upload auto-cpufreq_2.0_amd64.snap --release beta
Issues while processing snap:ew
- human review required due to 'allow-installation' constraint (bool)
Full execution log: '/home/ahodzic/.local/state/snapcraft/log/snapcraft-20230901-091009.105226.log'
By “install the daemon” you mean installing the snap? “/bin/sh: 1: pkexec: not found” means what one expects - the executable is not on $PATH. Above, I suggested that was because you didn’t include it in your snap. I thought that was resolved:
But, if you’re getting “not found” again, maybe you’re doing something weird with $PATH?
One way to investigate is to use snap run --shell ... to get a shell with the environment your app runs. You can then examine $PATH and experiment.
You should focus on getting more insight yourself. I’ve already told you that what you are doing is outside my experience. All I can do is suggest the things I would look at were I in your situation.
I’m not surprised that using pkexec would require approval from the store team. If it helps, there’s a review-tool snap that can run the checks locally for faster feedback.
@alan_g I made a mistake in my last reply where I pointed the old problem. After last changes to snapcraft.yaml (as presented in my previous post), problem is not pkexec: not found anymore, new problem is: “pkexec must be setupid root”
@alan_g@ogra on top of this, my upload to beta channel of auto-cpufreq with - packagekit-control listed as one of the plugins got rejected. I’m not sure if I should move this to snapcrat-requests at this point because ideally I would like to make snap work as expected before requesting anything.
I also found out that pkexec must be setuid root during install with --devmode for local testing could be a snap related bug?
Again, any pointers would be of great help because this problem pkexec must be setuid rootdoes not happen on regular non snap install.
For reference, latest version of snapcraft.yaml looks like:
name: auto-cpufreq
base: core22
summary: Automatic CPU speed & power optimizer for Linux
description: |
Automatic CPU speed & power optimizer for Linux based on active
monitoring of laptop's battery state, CPU usage and system load.
Ultimately allowing you to improve battery life without making
any compromises.
license: LGPL-3.0
grade: stable
confinement: strict
adopt-info: auto-cpufreq
compression: lzo
parts:
auto-cpufreq:
plugin: python
python-packages:
- setuptools
- wheel
- requests
build-packages:
- gcc
- python3-dev
stage-packages:
- coreutils
- dmidecode
- pkexec
source: .
override-pull: |
snapcraftctl pull
snapcraftctl set-version `grep ^VERSION $SNAPCRAFT_PART_SRC/setup.py | sed 's/.*"\(.*\)"/\1/'`
deploy-scripts:
plugin: dump
source: scripts
organize:
cpufreqctl.sh: usr/bin/cpufreqctl.auto-cpufreq
snapdaemon.sh: usr/bin/snapdaemon
copy-image:
plugin: dump
source: images
plugs:
etc-auto-cpufreq-conf:
interface: system-files
write:
- /etc/auto-cpufreq.conf
apps:
auto-cpufreq:
command: bin/auto-cpufreq
environment:
PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
plugs:
- cpu-control
- system-observe
- hardware-observe
- etc-auto-cpufreq-conf
auto-cpufreq-gtk:
command: bin/auto-cpufreq-gtk
extensions: [gnome]
environment:
PYTHONPATH: $SNAP/usr/lib/python3/site-packages:$SNAP/usr/lib/python3/dist-packages:$PYTHONPATH
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
plugs:
- cpu-control
- system-observe
- hardware-observe
- desktop
- desktop-legacy
- wayland
- x11
- packagekit-control
service:
command: usr/bin/snapdaemon
plugs:
- cpu-control
- system-observe
- hardware-observe
environment:
LC_ALL: C.UTF-8
LANG: C.UTF-8
PKG_MARKER: SNAP
daemon: simple
