Request for Classic Confinement Approval - bne-guard-vpn Snap

Greetings Snapcraft Forum Members,

I hope this post finds you all in good spirits. I am writing to discuss a proposal for granting classic confinement to the “bne-guard-vpn” snap. This request is grounded in the need for our Flutter GUI app to seamlessly execute WireGuard commands via the terminal in the background, ultimately enhancing the user experience.

The core functionality of our application relies on the ability to run WireGuard commands from within the terminal, even while presenting a user-friendly graphical interface. We are aware of the security considerations associated with classic confinement and are committed to mitigating any potential risks through proactive monitoring and adherence to security best practices.

Our belief is that classic confinement is the most effective way to provide users with a comprehensive experience. The seamless integration of the terminal for WireGuard operations aligns with our goal of offering users a smooth and intuitive interaction with the “bne-guard-vpn” snap.

We understand the importance of security within the Snapcraft ecosystem and are ready to engage in open discussions to address any concerns and ensure compliance with community guidelines.

Your input is invaluable to us, and we look forward to your thoughts and insights on this proposal. We are enthusiastic about contributing positively to the Snapcraft community and appreciate your consideration of our request.

Thank you for your time and attention.

Hi @Mohammed, we have many other VPN clients in the store and all can use strict confinement. Also, the process for classic confinement is documented at the Process for reviewing classic confinement snaps. It should fit in one of the supported categories.

One possible solution I can think of is to ship the wireguard tools it needs inside the snap. thanks

Hello @0xnishit ,

Appreciate your response.

Currently implementing your suggestions. However, root access is essential for WireGuard tools, posing a constraint under strict confinement.

Exploring solutions, including tools within the snap. Your insights are valuable.


Why would confinement have any effect on this? It does not elevate or demote your permissions at all, if you run your tool with sudo or as a system service it will have root access, not any different to non-snap packaged tools, confinement only manages access to system resources…

Thanks @ogra for your response.

As you said “if you run your tool with sudo”, that would definitely fix the problem however as our app is GUI we use “pkexec”. “pkexec” works fine in classic confinement, but in strict confinement we get this error : pkexec: not found, because it’s in the usr directory which is not accessible in strict confinement.

going throw this topic Process for reviewing classic confinement snaps I can see that “direct access to pkexec” is Unsupported/not valid reason for classic confinement, the suggested solution is to alert the user to run under sudo however this will break some of the app functionalists for example launching other apps like the browser or email, we only need to run a part of the app under sudo.

Hi @Mohammed,

As you point out in the process document, the requirement for pkexec isn’t valid reason for us to grant classic. Are you able, perhaps, to try making the main application start as root then drop privileges before launching those other apps?

Hi @dclane, Thanks for the response.

Unfortunately I can’t run the app with sudo when using strict confinement, I am getting this error

mkdir: cannot create directory ‘/run/user/0’: Permission denied
Authorization required, but no authorization protocol specified

(bneguard:6957): Gtk-WARNING **: 15:46:39.351: cannot open display: :0

Hi @Mohammed ,

It’s been a while since we last discussed, so what’s the status of this request?

Hi @Mohammed , ping, this request cannot proceed without the requested status update? Thanks

Hi @Mohammed - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks