Polkit policy support?


#1

For ubuntu budgie we are busy snapping up our app “budgie-welcome”.

It allows users to install deb-based packages and add PPA’s via GUI buttons.

Underpinning this is a polkit policy and a trusted python executable to install packages and PPAs seamlessly without user authentication being required.

So currently the classic based snap installs the policy to /snap/budgie-welcome/current/usr/share/polkit-1/actions/ and the exe to /snap/budgie-welcome/current/usr/lib/budgie-welcome/

Question - A user based authentication request is still being shown. How should policykit based policies work under snaps? Any examples that anyone can share?


#2

/snap/budgie-welcome/current/usr/share/polkit-1/actions/: this isn’t a directory that is known to polkit. You would want to put the file in /usr/share/polkit-1/actions/ instead otherwise polkit isn’t going to know about your policy.


#3

@jdstrand

/usr/share/polkit-1/actions/ within the snap? or actually delivered separately outside the snap on ubuntu itself?


#4

The polkit service doesn’t know about snapd or your snap, so you will need to install your policy into /usr/share/polkit-1/actions for polkit to know about your policy. You said that this is a classic snap, so you have that ability.

For a strict mode snap to do this, we would need to create a new polkit backend, which would likely operate a lot like the udev backend, but would need to be designed.


#5

hi @jdstrand - this snap will be a classic confinement request as it is the welcome screen for Ubuntu Budgie. The application installs software via apt, etc. It is similar to @Wimpress software boutique. We already have a working snap with the exception of this polkit issue, and one other small issue.

So coming back to the original question…My assumption is that I can leverage the “install” hook.

Thank you for the clarification.

“install”

The install hook is called upon initial install, before any services contained by the snap are started. If the hook exits non-zero, the installation of the snap will fail.

Example

Before running the snapcraft command to build your snap, this install file should be placed at this location:

/snap/hooks/install.

#!/bin/sh
set -e

Run any commands needed to setup the snap.

This could be downloading a list of dynamic configuration options or creating a database.


#6

I have used an install hook to create the appropriate policy for the required actions.


#7

Looks like policy kit doesnt like the $SNAP variable. If I change our exe path to /snap/budgie-welcome/x1 then things start working. Note - if you use /snap/budgie-welcome/current then it doesnt work. I guess this must be an apparmor thing. So I’m looking at using the install and/or refresh hook to take the current $SNAP value itself and use that in a sed. @Wimpress I was looking at your snap in your repo for boutique, and when I last checked you were using $SNAP. Did that work for you?

For reference for those who would like to look:


#8

You said that this is a classic snap so AppArmor should not be in the way. Even under strict confinement, AppArmor would resolve symlinks so if /snap/foo/x1/bar worked, /snap/foo/current/bar would work too (but again, this is a classic snap so it should be something else).


#9

@bashfulrobot Yes, you need to use $SNAP in the policykit template because paths are explicit. It works a treat.


#10

Thanks for the reply! We had some issues leveraging it, but we got it sorted now!