Request for Strict confinement to classic confinement for MqttDesk

Hello

We have created a Cross platform MQTT Desktop Client on Electron platform which works on macOS, Windows & Linux. It works perfectly for all the platforms . Link is for the snap.

Its a desktop application which requires License key for Running the desktop application.
We need to get the information about the license status like expired, pending, active etc. so that we need to access the below to run the app smoothly to read write the license information.

~/.local/share/data/bconf/

/sys/devices/virtual/dmi/id

Request you to plz approve the request.

here using the personal-files interface should help.

access to this sysfs node should typically be provided via the hardware-observe interface.

Hello there

How to get the permission for that as I am totally new for the snaps?
Requesting you to please guide for that also.

Thanks for information again.

here is some documentation about interfaces and how they work:

and here is the documetation of the personal-files interface with examples:

1 Like

Thanks a lot for the the information.
Do i need permission to get these interfaces?

Thanks again

not for hardware-observe (you might need permission for auto-connecting that) …

personal-files will definitely need a review …

Hello there
Requesting you please provide us the permission for autoconnecting permission for Hardware -observe & permission for personal files.
We need to get the license key information that’s why we do need the autoconnecting & personal files access permission.

you should probably first implement the interfaces in your snapcraft.yaml, make sure the app works as expected with both of them connected and then upload the snap to the store with the changed interfaces, where it then goes into the review queue of the @review-team

Hello

Please review my snap for the classic confinement as I am using the license keys for my application to activate it so that i used the personal files access for it .

Thanks

@review-team
Requesting to you Please review it.

Explanation on why we access to this 2 directories: /.local/share/bconf and /sys/devices/virtual/dmi/id

We’re using a Licensing API package called Cryptlex that allows us to easily guarantee license keys and validate them. This package requires read-write access to /.local/share/bconf and read access to /sys/devices/virtual/dmi/id in order to get an advanced device fingerprint of the user’s device and prevent software piracy.

Info about Crytplex:

Official website
Official npm package
Terms of Service
Privacy Policy

Hey @newbee_snap,

Could you please update this topic to remove the need of classic and request use of/auto-connection for the requested interfaces instead?

Also, I dont see your snap manifest updated yet, could you please do so?

Either way, I am +1 for use of personal-files with write access to ~/.local/share/data/bconf, but I am -1 for auto-connect it since mqttdesk is not the clear owner of such directory.

I am +1 for use of hardware-observe as its needed for reading from /sys/devices/virtual/dmi/id

Hello @emitorino, we have decided to not use auto-connect. We have just used personal-files for both ~/.local/share/data/bconf(read+write access) and /sys/devices/virtual/dmi/id (read access)

Sorry but, what’s the snap manifest? Where can I update it?

It’s the file used by snapcraft to build the snap : https://snapcraft.io/docs/creating-snapcraft-yaml.

Your latest revision uploaded to the store looks like:

grade: stable
confinement: classic
name: mqttdesk
version: 2.1.0
title: MqttDesk
summary: MqttDesk
description: MqttDesk
architectures:
  - amd64
apps:
  mqttdesk:
    command: command.sh 

Please update it moving from confinement classic to strict, and also add the interfaces details we have discussed about.

@emitorino
Thanks for help.

We are not able to edit the topic now.

We will update the manifest and push the snap again. But one query here…
Should we push the snap again and get the review and approval again on the same topic or will it be a new manual review again?

The revision will be automatically rejected since the declaration have not been granted yet as per the Process for aliases, auto-connections and tracks we still need more votes.

Why does the snap need access to the real ~/.local/share/bconf? Snaps have their own private $HOME under ~/snap/mqttdesk/<revision> and so should happily work if they respect $HOME - ie. the snap should just use the path $HOME/.local/share/bconf and this should just work, then there is no need to access the user’s actual ~/.local/share/bconf directory via personal-files. @newbee_snap can you please comment?

Hello there, we’re using a third-party node.js package called Cryptlex and they told us that they need access to those folders.

Because the API we are using access the ~/.local/share/bconf and /sys/devices/virtual/dmi/id . This is all in order to prevent software piracy.
It will check the /.local because it will check the other license information availablity on the user personal files.

The licesnsing API suggested us that using classic mode will work and we tried that and it did work…
Requesting you to please provide classic mode.

This snap does not meet the requirements for classic confinement and so this is not suitable in this case.

However, as I said above, I don’t think you should even need personal-files if the code can respect $HOME, however if this is not the case then personal-files can be used for access to ~/.local/share/bconf if this is strictly necessary. Also a number of existing interfaces do provide some access to some of the paths under /sys/devices/virtual/dmi/id - can you please be more specific as to which files you require access to from this path? Finally, system-files can be used to grant this access as well.

Please can you respond to these questions and we can try and help.

@alexmurray @emitorino

Sorry for late reply.
Please give us one more day we are testing our app with the asked environment with strict confinement. We will get back shortly. But definitely we need support to get approve for the personal files access and the hardware observe or system file. which we will confirm after testing with strict confinement. Thanks for helping us.

1 Like