Requesting exception for use of 'browser-support' plug with daemon

I have created a private snap (pcds-kiosk) that is only used internally. It is a kiosk snap that simply runs an electron app. Automatic and manual reviews have been rejected on grounds of: specifying ‘daemon’ with ‘plugs: browser-support’.

I am requesting an exception as the snap will only be used internally, and electron apps require the ‘browser-support’ plug.

@review-team Is someone able to look into this for me please?

Regardless of whether a snap is only used internally, or whether it is private or not, since a publisher can easily make it public or once it is public, any user can install it, then the same process has to be followed regarding reviews.

Some things to know - the use of browser-support with daemon grants a lot of privileges to a snap (see the previous discussions for similar requests a few years ago for some background on this Suppress the security-snap-v2_daemon_with_browser-support warning for the snap, Request for daemon + browser-support for krellian-kiosk).

Does pcds-kiosk absolutely require the use of browser-support? I understand the wish for daemon is to have long-lived daemon that is automatically started etc - in that case, perhaps the use of the snap_daemon user via system-usernames could help so that the snap doesn’t have to run as root.

However, even in this case, the daemon will still be started as root and it would have to drop privileges to the snap-daemon user, so this doesn’t entirely alleviate the security concern.

As such, if this browser-support is absolutely required, we would need to perform publisher vetting as though this were a request for classic confinement.

Hi @alexmurray, the snap is an electron app, I don’t know of any way to get around requiring browser-support.

What are the steps for publisher vetting?

@alexmurray upon researching more, I will probably go down the route of attempting to open a brand store.

@jaydensmith since you’ve find a solution, we are removing this request from our review queue. If you need more help, simply do so here and we can add the request back to the queue. Thanks!

@pfsmorigo @alexmurray I was unable to resolve my problem using the brand store route. I have, however, completed work to drop privileges to the snap-daemon user. Since browser-support is absolutely required for electron to work and I have dropped privileges to snap-daemon, I wonder if you could please review again.

@jaydensmith thanks for taking the time to implement the privileges dropping - is the code for your snap public by any chance so I could verify this?

Assuming this is being done correctly, +1 from me for the use of browser-support with daemon for pcds-kiosk.

Thanks, there’s no reason the code can’t be public, I’ve added it here:

Hi @alexmurray, any further progress?

Thanks for the link to the upstream repo - that looks great.

Can other @reviewers please vote too? Also in the meantime @advocacy could you please perform publisher vetting? Thanks.

@jaydensmith Is there an official page for pcds-kiosk?

The app is for internal use and serves no purpose to the general public so as such has no official page. The app is set to private and will never be changed to public.

@jaydensmith I do not have any way to verify you as the publisher without some external reference point. @alexmurray Any suggestions from your side?

Unfortunately I am not sure either - given the use case (private snap) this sounds like a perfect case for a brand store.

@alexmurray it does, but after already investigating this the cost of a brand store is not in the same realm of possibility at this time.

@jaydensmith Is there a way for you to privately provide us with additional information that would help us verify the project info?

@Igor, I can provide any information you need, what exactly do you need and via what?

@Igor @holly ping, could you please provide the requested information?

ping @igor - can you please follow up with the requester re vetting?