Request classic confinement for deezer-linux

store-requests classic-confinement
1
  • name: deezer-desktop
  • description: Unofficial port of Deezer Desktop Application. Deezer Desktop is only available on Windows and MacOS. This port only repackages Deezer Desktop for Windows to work on Linux, thanks to electron.
  • snapcraft: no snapcraft. electron-builder snap config instead
  • upstream: GitHub - aunetx/deezer-linux: An universal linux port of deezer, supporting Flatpak, Appimage, Snap, RPM, DEB...
  • upstream-relation: main maintainer
  • supported-category: electron application
  • reasoning: This application is based on Electron and cannot work under strict confinement because of that. We have tried to remove as much permissions as we could. We have tried plugs and slots (desktop, legacy, wayland
), but classic confinement is still needed.

I understand that strict confinement is generally preferred over classic.

I’ve tried the existing interfaces to make the snap to work under strict confinement.

2

This request has been added to the queue for review by the @reviewers team.

3

So, what exactly didn’t work?

Since you mentioned those plugins, I assume you didn’t use the gnome or kde-neon-6 extension, which may have made creating this Snap more difficult.

4

I created a snapcraft.yaml file for your app, using strict confinement and core24, and opened a pull request in the repository.

2 Likes
5

Note that this is not a supported category, it would need to be one from the list of supported categories at:

1 Like
6

Hey @deezer-community

I don’t clearly see any technical reason why this snap cannot run under strict confinement. Could you please share the denials you observe when running you application under confinement?

Thanks

7

When trying to create the Snap version with strict confinement, I noticed that I needed to have the shared-memory plug and use “–no-sandbox” in the app startup command.

I suppose the lack of these things made it seem like the app couldn’t work in strict confinement.

8

The --no-sandbox is normal for electron apps, you really do not want to stack two sandboxes into each other (you already have snap sandboxing around the app) 


Keeping the electron sandbox also requires to run a suid root binary inside the snap which makes it actually less secure


1 Like