Update to the system-files interfaces used by firefox

seb128 · October 13, 2022, 6:43pm

The change requested comes from https://github.com/canonical/firefox-snap/pull/8

-  etc-firefox-policies:
+  etc-firefox:
     interface: system-files
-    read: [/etc/firefox/policies]
+    read: [/etc/firefox]

The /etc/firefox/policies access was initialed added to get policies working, https://bugzilla.mozilla.org/show_bug.cgi?id=1785278 is another usecase for accessing files in /etc/firefox which triggered the change.

It seems logical for firefox to have access to /etc/firefox so we are requesting to give access to the directory instead of adding another exception for a subdirectory.

The change landed in nightly now which should reach the edge channel first.

oSoMoN · October 13, 2022, 6:59pm

I suppose this won’t be a problem wrt assertions, given that we’re requesting to widen an existing permission, but note that both will be co-existing for a while when this is granted in edge while beta and stable remain with the narrower permission for the policies subdir.

alexmurray · October 14, 2022, 12:33am

+1 from me - and like @oSoMoN said, assuming this is granted, the new snap declaration will have to preserve the old entry as well, so should look something like:

 "system-files": {
   "allow-auto-connection": "true",
   "allow-installation": [
     {
       "plug-attributes": {
         "read": "/etc/firefox/policies"
       },
       "plug-names": [
         "etc-firefox-policies"
       ]
     },
     {
       "plug-attributes": {
         "read": "/etc/firefox"
       },
       "plug-names": [
         "etc-firefox"
       ]
     }
   ]
}

oSoMoN · October 19, 2022, 12:25pm

@review-team this request is only 6 days old, but because the change was landed in the branch that’s used to build the firefox snap in the edge channel (nightly), the store is denying publication. Can this be fast-tracked to unblock the situation? (temporarily reverting the change is also an option, but it’s probably not needed as the policy update doesn’t appear to be subject to dispute).

alexmurray · October 19, 2022, 11:35pm

I have fast-tracked this with just my single +1 vote - this is now live. If other @reviewers feel this is inappropriate please feel free to revert it and we can discuss further here. Thanks.