Process for reviewing classic confinement snaps

Classic confinement review process

Background

As of snapd 2.20, snappy supports confinement: classic which allows the snap to run without restrictions. Future releases of snapd will also support a classic interface (name TBD) that operates similarly. Snaps specifying classic confinement may target the stable channel, but are only supported on classic distro systems (ie, not on Ubuntu Core).

Because classic confinement snaps run without restrictions, use of classic confinement effectively grants device ownership to the snap. Due to the sensitive nature of classic confinement:

  • users must specify --classic when using snap install to install a snap using classic confinement
  • the review process in the snap store will flag for human review snaps that specify classic confinement
  • the store provides a mechanism for the reviewer to allow classic confinement to the snap so that subsequent uploads do not trigger human review
  • the publisher shall be vetted using the processes in this topic before classic confinement is granted by the store

Definitions

  • reviewers are @reviewers
  • snappy architects are Mark, Gustavo, Samuele, etc
  • advocacy team is @advocacy
  • classic confinement is defined as confinement: classic and the upcoming classic interface (final name TBD)
  • classic confinement applies to a particular snap ID and may be revoked by the store

Process

  1. the publisher makes the request for classic confinement in the forum using the store-requests category
  2. the technical reasons for why the snap uses classic confinement are gathered in the forum post and captured for potential future snapd improvements. The technical requirements will be reviewed by the security team and/or an architect
  3. the advocacy team, reviewers team and/or architects participate in vetting the snap/publisher
  4. once the publisher has been vetted, the technical reasons are captured and the request is approved, a store reviewer will issue a snap declaration for the snap and add a comment to the store, giving the URL to the forum post

Known categories

Classic requests generally fall under a number of categories. Below lists categories that developers may consult for things that are known to be allowed/disallowed use of classic confinement. @reviewers may consult these lists when processing classic requests. If something falls outside of these lists, then the requirements must be gathered by a senior reviewer and discussed with an architect (after which, it can be added to the lists).

Supported

  • compilers
  • IDEs
  • juju helpers
  • kubernetes tools requiring arbitrary authentication agents
  • nautilus scripts
  • programming languages
  • public cloud agents
  • tools for local, non-root user driven configuration of/switching to development workspaces/environments
  • terminal emulators, multiplexers and shells

Unsupported

  • management snaps
  • 3rd party installer snaps (eg, for native packages, appimages, flatpaks, snaps, etc)
  • difficulty making strict confinement work
  • dependent software only available on host (ship in instead snap (eg, stage-packages, build from source))
  • access to dot files in $HOME (use $HOME instead of getent*, personal-files)
  • access to /etc (use layouts, system-files)
  • hard-coded paths (use snapcraft-preload, layouts)
  • ability to run other snaps directly (as opposed to defined interfaces)
  • access to arbitrary files on the system because the application isn’t designed with confinement in mind
  • access to arbitrary files on the system due to developer/user inertia
  • GNOME shell extensions
  • nautilus extensions

Criteria

This lists some criteria that might require classic (non-exhaustive):

  • access to files on the host outside the snap’s runtime (eg, /usr)
  • running arbitrary command (esp if user-configurable such as a developer tool to organize dev environments)
  • access to resources not yet supported by snapd and where the requirement is clearly understood to be supportable by snapd. This may result in temporarily granting classic until snapd supports the use case in strict mode

NOTE: while something may be known to require classic, that alone may not justify granting classic confinement.

Additional

Sometimes it might make sense for a snap to be allowed the use of classic (eg, for classic distro) but be usable in strict mode (eg, for Ubuntu Core). In these cases, rather than having two separate snaps, it is considered best to have two separate tracks, the default track and another called classicmode.

4 Likes
Classic confinement for Sublime Text 3
Classic confinement for goby
Classic confinement for Android Studio
Publish snap with classic confinement
Nikola snap could use classic confinement
Classic confinement request for rem snap
Classic confinement request for Clementine
Classic confinement request for hw-probe
Classic confinement for Android Studio
Classic Confinement Request for the wimlib Snap
Classic confinement request for the go-mtpfs(was: go-mtpfs-brlin) snap
Manual Review Requested: wpe-cli
Snap confinement
Classic confinement for Eric IDE
Kubefwd 'allow-installation' constraint rejection
Please allow use of personal-files for gitl [Was: Classic confinement for gitl]
[revoked] Classic confinement request for the tree snap
Classic confinement request for the pre-commit snap
Classic confinement request - bart
Snap documentation
Classic for all file operations?
How to execute programs outside of snap package
Request for classic confinement for lazydocker
Choosing a security model
Using git from a program
Permission requests
Classic confinement for sFTP Client
Classic confinement request for Pyflow
Classic confinement for app-outlet
Classic request for tmcbeans
Yaru dark theme toggle review request
Manual review request: miggy-migration
Classic confinement request for dvc
Classic confinement request for nvim
Classic request for qterminal-snap
Terminology needs classic confinement
Sway - an i3 compatible wayland compositor
Pharo7 name registered
Request for manual review of Moodle Desktop app on the Ubuntu Store
Vmanager Snap Classic confinement
Classic confinement for ubports installer
Allow classic confinement for electron/asar
Classic confinement request for ubup
Getting ready for stable
Classic confinement for existing Helm snap
Classic confinement request for eclipse
Permission denied while attaching files (may require classic confinement)
NetBeans on Snapcraft
Transfer hub snap to me
Using the script inside the snap
Classic Confinement Request for the git-cola Snap
Classic Confinement Request for the ipfs-cluster Snap
Classic confinement request for the android-file-transfer snap
Classic confinement request for the nano snap (was: nano-classic)
Releasing your app

@niemeyer and @evan, can you review these processes?

Thank you Jamie, this is good. I have one lingering concern: can we do more to direct software vendors to the forum for this request? For example, could the feedback from automated review instruct them to create a forum post?

1 Like

Yes, I’ll make that happen.

1 Like

Per Classic confinement for Android Studio, we should consider members of the snapcrafters team as vetted if the snap is coming from one of the snapcrafters repositiories. @evan, @Wimpress and @popey (ie, the snap advocacy team which vets publishers) handle invitations to the team and vetting of team members and they review all PRs from members.

1 Like

Sometimes publishers request the use of classic for so-called ‘installer snaps’. One particular variant of installer snap is one that provides a frontend for manipulating traditional distro packaging repositories and software installation and removal which may or may not also include installing snaps.

In addition to the normal criteria outlined above, the following criteria should also be met when considering this variant of installer snap:

  • Is the snap an image frontend for applications (meaning it is being shipped in the image itself by the image builders)?
  • Does the the particular image (the Linux distribution or flavor) have a visible community behind it that would justify the snap to be publicly available?
  • Does the snap name, summary, and description clearly describe the use case, so people wouldn’t risk installing it without intending to? (for example, <distro name>-...-welcome, etc. Eg, ubuntu-mate-welcome)

Note that some ‘installer snaps’ (eg, gnome-software and software-boutique) are not distro-specific (eg, they work with any number of package backends) and therefore may not be required to be prefixed with <distro>-. These will be evaluated case by case using the above criteria as a starting point.

References:

3 Likes

I would like to request pinning this topic in the store category.

1 Like

I’ve moved this back to the docs category because it’s linked to from our documentation (Snap confinement). Outside of docs, it’s not published and causes a 404.

1 Like

@reviewers - fyi, I added a ‘Known categories’ section to the first post in this topic (ie, the wiki portion) that should help us remember various categories. I doubt it is complete, but I can add them as I remember.