Request classic confinement review for reemd gateway app


#1

Hi,

Need to have classic confinement for our reemd gateway app since our application is a gateway for users to login to their IoT and Linux devices remotely. reemd opens tty terminals and forwards them to the remote user and they can access their devices through a web app, very similar to TeamViewer, but without GUIs. reemd needs full access to the OS to function properly.

reemotly is a remote connectivity and IoT Platform.

You can find out more here: https://reemotly.com

The package reemotly Gateway is named reemd

https://dashboard.snapcraft.io/snaps/reemd/revisions/1/

Thanks
Jorge


#2

Can you elaborate on what you mean by “reemd needs full access to the OS to function properly”?

A couple of example questions that would be helpful to have answers to:

  • What access is required that is not covered by current interfaces?
  • What happens when that access is denied? (does your app crash, have missing functionality…?)
  • Can you post denial messages from apparmor when you try to run your app under strict confinement?

#3

You mention IoT. Please be aware that if Classic confinement is granted then your application will not be installable onto any Ubuntu Core devices.


#4

Thanks for your reply Daniel!

One point I forgot to mention, reemd is to run as a daemon or service

What access is required that is not covered by current interfaces?

reemd needs the ability to start shells (bash, sh, zsh…). The main functionality of reemd is to act as a gateway to start CLI/terminal/shell sessions remotely through a web browser using our cloud platform. We need the ability spawn these shells (processes).

I’m new to snapcraft I can’t seem to find an interface that would allow the app to execute or start other programs in the OS. Is this correct? Is there a way to do this through strict confinement?

Remote users will have the ability to access their files remotely as well, so a read access to the entire filesystem would be good.

reemd will also provide stats on hardware, cpu, disk space, memory usage. Access to observe hardware is required for this, which I think it already exists as an interface of snap.

What happens when that access is denied? (does your app crash, have missing functionality…?)

The app will have missing functionality

Can you post denial messages from apparmor when you try to run your app under strict confinement?

Not sure, looking into it.


#5

Hi Daniel,

Any updates on our request?

Thanks
Jorge


#6

We want to release soon, even if its just with classic confinement for now


#7

@reviewers, can you review this classic confinement request please?

@jorgexgb I’ve pinged the reviewers. They will probably pick this up on Monday.


#8

Hi daniel! Jacek Jaworski here - I am failed to send email to you. It seems your address not exists on bang-on.net . If you want serve your consultancy for me - then please let me know some working email address…


#9

did I send from bang-on? I should have sent from @ubuntu.com.


#10

Yes! You sent from bang-on.net - please send me dumb email to jaworski1978@adres.pl . I wrote prepositions of our colaboration. I will send you this document as son as you send me valid your email address.


#11

This seems to fall into the same category as https://forum.snapcraft.io/t/classic-confinement-for-dataplicity-agent/6215/9:

"
…the use cases reported matches with a class of problems that we’ve been avoiding classic confinement, at least for the time being: open-ended access into the whole device by remote parties, for management purposes.

Our suggestion for these problems right now is to continue packaging them as deb packages, and offering them through a PPA or other form of custom repository.
" – @niemeyer

You mentioned IoT several times in your request-- is this snap meant to run on Ubuntu Core? If so, please understand that classic confinement is not available on Ubuntu Core and packaging your application as a snap would need a new snapd interface that your snap would ‘plugs’. This would need some design. Please comment on your intended deployments and any other details that might be helpful.

@pedronis and/or @niemeyer - do you want to take a look at this one?


#12

Thanks for your reply!

We want to deploy our app in as many distributions as possible, and that can be either traditional OS or IoT focused, such as openWRT or Raspberry Pi. I do understand that for Ubuntu Core it won’t currently work, unless some ‘plugs’ are designed. I’m looking into this possibility.

Our customers are asking for terminal/CLI remote connectivity solutions to their IoT / Headless devices and the Snap Store seemed like the best solution to distribute them to many different distributions while at the same time have automatic updates.

Hopefully we could deploy at with Classic confinement (excluding Ubuntu Core) for now. Looking forward to hear your decision.

Thanks again for the help!