Requests for mammoth-browser

store-requests privileged-interfaces
1

Update: We in fact do not need specific system-files access, see the first reply.

Hello,

Our code snippet is as below:

plugs:
  browser-sandbox:
    interface: browser-support
    allow-sandbox: true
  mmeab-sys-files:
    interface: system-files
    read:
      - /etc/machine-id
      - /proc/sys/kernel/arch
  • name: mammoth-browser
  • description: The Mammoth Enterprise Browser is based on the Chromium project. It provides easy and secure access to all your work apps in a single place. There’s no learning curve - our browser works exactly like any other. We handle security seamlessly in the background, so you can focus on your work with greater confidence.
  • snapcraft: link to snapcraft.yaml if publicly available
  • upstream: GitHub - chromium/chromium: The official GitHub mirror of the Chromium source
  • upstream-relation: Private fork of Chromium with added features for enterprise customers
  • interfaces:
    • browser-support / allow-sandbox: true:
      • request-type: installation, auto-connection
      • reasoning: We need to enable the browser’s native sandbox to further isolate between websites.
    • system-files:
      • read:
        • /etc/machine-id
        • /proc/sys/kernel/arch
      • request-type: installation, auto-connection
      • reasoning: Enterprise policies would require logging of identity of endpoints connect remotely
2

This request has been added to the queue for review by the @reviewers team.

3

The /etc/machine-id path is already covered by audio-playback, which i assume you will be adding anyway given this is a browser …

I’d have expected /proc/sys/kernel/arch to already be covered by the hardware-observe interface but oddly enough it is not there, even though the arch command itself is shipped in all base snaps and should be executable without any extra interfaces, have you considered using this instead of directly accessing /proc/sys/kernel/arch ?

4

I see. We will use these methods instead. Thank you for the pointers. Could you approve the browser sandbox permission?

5

I’m not in the review team, but your request is in the queue (see the bot above) and should soon be processed by them…