Wayland connection in confined snap

I have a very simple snap that only contains weston and connects via the wayland plug:

name: weston-terminal-test
base: core22
version: '9.0'
summary: test wayland connection via weston-terminal
description: none

grade: stable
confinement: devmode # use 'strict' once you have the right plugs and slots

parts:
  weston:
    plugin: nil
    stage-packages:
    - weston

apps:
  weston-terminal-test:
    command: usr/bin/weston-terminal
    plugs:
    - wayland

But when I run weston-terminal-test, the process cannot connect to the Wayland socket: failed to connect to Wayland display: No such file or directory.

Indeed, when I run a shell inside the confined snap, the socket is not at the right path within the snap:

$ snap run --shell weston-terminal-test
$ ls -alh $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
ls: cannot access '/run/user/1000/snap.weston-terminal-test/wayland-0': No such file or directory

whereas on a regular system, this would be:

$ ls -alh $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
srwxrwxr-x 1 christian christian 0 Nov 27 12:10 /run/user/1000/wayland-0

Is the wayland plug broken? What is it supposed to do, when not letting the snap access the Wayland socket at /run/user/1000/wayland-0?

The plug grants access to the Wayland socket in it’s usual location. By specifying it, you have access to run/user/1000/wayland-0.

The missing aspect is that because $XDG_RUNTIME_DIR is different in the confined snap, as you’ve seen there isn’t actually a socket there.

But because you have the Wayland plug, you can now symlink it from the original location into the snaps specific runtime dir, where it should work!

This would be similar to the PulseAudio socket, which works the same way.

You’re not usually expected to manage this manually, in most scenarios, you can simply make use of a Snapcraft Extension, which helps set up a minimal usable runtime environment with common libraries, permissions, and environment variables. Which is as easy as this, in your case:

apps:
  weston-terminal-test:
    command: usr/bin/weston-terminal
    plugs:
    - wayland
    extensions: [gnome]

By adding the extension, when you build the new snap, it should sort out Wayland access for you automatically.

But in theory, even without the extension, you could just symlink it yourself with a Bash script or similar if needs be.

You can see the related code that does this in the extensions here.

This does create the symlink and I can run the clients in devmode. But when I switch to the strict mode the client is not allowed to access the socket: failed to connect to Wayland display: Permission denied when in strict mode.

I modified the snap:

name: weston-test
base: core22
version: '9.0'
summary: test wayland connection via weston clients
description: none

grade: stable
confinement: strict

parts:
  weston:
    plugin: nil
    stage-packages:
    - weston

apps:
  weston-terminal-test:
    command: usr/bin/weston-terminal
    plugs:
    - wayland
    extensions: [gnome]
  weston-flower-test:
    command: usr/bin/weston-flower
    plugs:
    - wayland
    extensions: [gnome]

Installing this snap with --dangerous only (snap install weston-test_9.0_amd64.snap --dangerous) and running the weston-flower example (weston-test.weston-flower-test) gives me:

failed to connect to Wayland display: Permission denied
failed to create display: Permission denied

I guess there is still something missing, although I should be allowed to use the socket now.

Does this new snap definition work for you or can you reproduce my results?