I hope this post finds you all in good spirits. I am writing to discuss a proposal for granting classic confinement to the “bne-guard-vpn” snap. This request is grounded in the need for our Flutter GUI app to seamlessly execute WireGuard commands via the terminal in the background, ultimately enhancing the user experience.
The core functionality of our application relies on the ability to run WireGuard commands from within the terminal, even while presenting a user-friendly graphical interface. We are aware of the security considerations associated with classic confinement and are committed to mitigating any potential risks through proactive monitoring and adherence to security best practices.
Our belief is that classic confinement is the most effective way to provide users with a comprehensive experience. The seamless integration of the terminal for WireGuard operations aligns with our goal of offering users a smooth and intuitive interaction with the “bne-guard-vpn” snap.
We understand the importance of security within the Snapcraft ecosystem and are ready to engage in open discussions to address any concerns and ensure compliance with community guidelines.
Your input is invaluable to us, and we look forward to your thoughts and insights on this proposal. We are enthusiastic about contributing positively to the Snapcraft community and appreciate your consideration of our request.
Hi @Mohammed, we have many other VPN clients in the store and all can use strict confinement. Also, the process for classic confinement is documented at the Process for reviewing classic confinement snaps. It should fit in one of the supported categories.
One possible solution I can think of is to ship the wireguard tools it needs inside the snap. thanks
Why would confinement have any effect on this? It does not elevate or demote your permissions at all, if you run your tool with sudo or as a system service it will have root access, not any different to non-snap packaged tools, confinement only manages access to system resources…
As you said “if you run your tool with sudo”, that would definitely fix the problem however as our app is GUI we use “pkexec”.
“pkexec” works fine in classic confinement, but in strict confinement we get this error :
pkexec: not found, because it’s in the usr directory which is not accessible in strict confinement.
going throw this topic Process for reviewing classic confinement snaps I can see that “direct access to pkexec” is Unsupported/not valid reason for classic confinement, the suggested solution is to alert the user to run under sudo however this will break some of the app functionalists for example launching other apps like the browser or email, we only need to run a part of the app under sudo.
As you point out in the process document, the requirement for pkexec isn’t valid reason for us to grant classic. Are you able, perhaps, to try making the main application start as root then drop privileges before launching those other apps?
Hi @Mohammed - since we’ve not heard back from you, we are removing this request from our review queue. When you have more time to respond, simply do so here and we can add the request back to the queue. Thanks
