Review request for ozone-display

Hello there!
I’m currently building a kiosk app, that needs both browser-support and the daemon feature.
With my latest build now scheduled for manual review because of this, I still wanted to ask a few questions and hopefully get more feedback as it is my first project on the snap store.

My application gets deployed on raspberry pi’s via ubuntu-core and then plugged into screens around our office and community area so it’s not a system users ever interact with directly.

I read though, that any application using both daemon features and browser_support should drop their privileges to the snap_daemon system user. I implemented this but would request that someone more knowledgeable in this regard than me has a look at it. ( The review-tools snap still complains about the permission thing, but I guess it’s because it’s not tracking dropping privileges yet right ?)
The repository is open source so you can have a look: ozone
Cheers

@jkruckenberg the current implementation re dropping privileges looks sane - thanks. +1 from me for the use of this - note, the use of daemon and browser_support is still privileged and so requires publisher vetting to be granted if the vote carries.

@reviewers can we please get some more votes on this request?

+1 for me for the use of browser-support with daemon. This is a kiosk app and the snap uses system-usernames to drop privileges. Also allow-sandbox is unspecified so it defaults to false.

As @alexmurray mentioned, this is a privileged interface and thus requires publisher vetting. @jkruckenberg: can you state that you intend to not change your snap to run a command which plugs browser-support under the root user (ie, you will keep using the snap_daemon with any commands/daemons that plugs browser-support)? This way we can proceed with the vetting process.

Thanks!

Thanks at @emitorino ! Just so understand you correctly, you mean running anything that requires the ’browser-support’ interface before privileges are dropped right?
If so, then yes I do not intend to change this, I also cannot think of a situation where I might have to change this so we should be good.
Anything else you need me to do?
Cheers,
Jonas

@jkruckenberg: yes, thanks for your answer.

@advocacy - can you please perform vetting?

+1 from me, I verified the publisher.

Thanks @Igor.

@jkruckenberg: a review-tools update is needed for this to take effect automatically in the store. I need to manually approve this meanwhile we have this update available. Could you please either request a manual review or upload a new revision so I can go and approve it?

Thanks!

1 Like