interfaces/desktop-launch: support confined snaps launching other snaps #8699
Conversation
> * tests/lib/snaps/test-snapd-policy-app-consumer/meta/snap.yaml
…apd/strutil/shlex
…escribe the shell to toolkits.
…ving a zombie process
interface for PrivilegedDesktopLauncher This reinforces that the API is not in the same security domain as those exported on /io/snapcraft/Launcher.
…out mocked stat calls
|
Once the changes from https://github.com/MirServer/snapd/pull/6 are merged into this PR, I think it would probably be ready for another review. I've tried to close off all the threads that appear to have been addressed, but the number of comments on the PR has become a bit unmanageable. |
More fixes based on review feedback
1968: Update the snapcraft launch object path r=wmww a=AlanGriffiths To reflect recent changes to canonical/snapd#8699 Co-authored-by: Alan Griffiths <alan@octopull.co.uk>
| // Iterate through the potential subdirectories formed by the first i elements of the desktop file ID. | ||
| // Maybe this is overkill: At the time of writing, the only use is in desktopFileIDToFilename() and there | ||
| // we're only checking dirs.SnapDesktopFilesDir (not all entries in $XDG_DATA_DIRS) and we know that snapd | ||
| // does not create subdirectories in that location. |
There was a problem hiding this comment.
this comment doesn't sound valid anymore as the new approach seems to be to find the file as anything else would, and then double check that is from a place that is supported
| // /var/lib/snapd/desktop/applications and these desktop files are written by snapd and | ||
| // considered safe for userd to process. If other directories are added in the future, | ||
| // verifyDesktopFileLocation() and parseExecCommand() may need to be updated. | ||
| return fmt.Errorf("internal error: only launching snap applications from %s is supported", dirs.SnapDesktopFilesDir) |
There was a problem hiding this comment.
given the new approach to search this is not an internal error anymore, the prefix should be stripped
interfaces/builtin/desktop_launch.go
Outdated
|
|
||
| package builtin | ||
|
|
||
| const desktopLaunchSummary = `allows snaps to identify and launch other snaps` |
There was a problem hiding this comment.
this should probably be now:
allows to identify and launch desktop applications in(or from) other snaps
?
|
|
||
| const desktopLaunchSummary = `allows snaps to identify and launch other snaps` | ||
|
|
||
| const desktopLaunchBaseDeclarationPlugs = ` |
There was a problem hiding this comment.
the base declaration looks right, it follow the same pattern as snapd-control of a superprivileged interface
| err := apparmorSpec.AddConnectedPlug(s.iface, s.plug, s.slot) | ||
| c.Assert(err, IsNil) | ||
| c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other.app"}) | ||
| c.Assert(apparmorSpec.SnippetForTag("snap.other.app"), testutil.Contains, `Can identify and launch other snaps.`) |
There was a problem hiding this comment.
we probably want to check as well at least for:
member=OpenDesktopEntry
peer=(label=unconfined),
interfaces/builtin/desktop_launch.go
Outdated
| @@ -48,7 +48,7 @@ dbus (send) | |||
| bus=session | |||
| path=/io/snapcraft/PrivilegedDesktopLauncher | |||
| interface=io.snapcraft.PrivilegedDesktopLauncher | |||
| member=OpenDesktopEntry | |||
| peer=(label=unconfined),member=OpenDesktopEntry | |||
There was a problem hiding this comment.
This looks wrong. The comma separates AppArmor rules, so this breaks a rule in half.
Rather than changing the AppArmor snippet, @pedronis was suggesting that an extra assertion be added to the test verifying that the snippet contained this part of the rule.
| conn *dbus.Conn | ||
| } | ||
|
|
||
| // Name returns the name of the interface this object implements |
There was a problem hiding this comment.
nitpick, but we typically like to end doc-comments with ".", but this should be done in a followup
| // desktopFileIDToFilename determines the path associated with a desktop file ID. | ||
| func desktopFileIDToFilename(desktopFileID string) (string, error) { | ||
| if !isValidDesktopFileID(desktopFileID) { | ||
| return "", fmt.Errorf("cannot find desktop file for %q", desktopFileID) |
There was a problem hiding this comment.
should this error message indicate that the desktop file ID is invalid insofar as it doesn't match the expected regex? something like
| return "", fmt.Errorf("cannot find desktop file for %q", desktopFileID) | |
| return "", fmt.Errorf("cannot find desktop file for %q: desktop file ID is malformed", desktopFileID) |
also fine for followup if we want it
|
|
||
| args := make([]string, 0, len(origArgs)) | ||
| for _, arg := range origArgs { | ||
| // We want to keep literal '%' (expressed as '%%') but filter our exec variables |
There was a problem hiding this comment.
| // We want to keep literal '%' (expressed as '%%') but filter our exec variables | |
| // We want to keep literal '%' (expressed as '%%') but filter out exec variables |
| {"/snap/bin/foo -f %U %%bar", []string{"/snap/bin/foo", "-f", "%bar"}}, | ||
| {"/snap/bin/foo -f %U %i %%bar", []string{"/snap/bin/foo", "-f", "--icon", "/snap/chromium/1193/chromium.png", "%bar"}}, | ||
| {"/snap/bin/foo -f %U %%bar %i", []string{"/snap/bin/foo", "-f", "%bar", "--icon", "/snap/chromium/1193/chromium.png"}}, | ||
| {"/snap/bin/foo -f %%bar %U %i", []string{"/snap/bin/foo", "-f", "%bar", "--icon", "/snap/chromium/1193/chromium.png"}}, |
There was a problem hiding this comment.
this is okay to do as a followup
| }) | ||
| } | ||
|
|
||
| func (s *privilegedDesktopLauncherSuite) TestDesktopFileLookup(c *C) { |
There was a problem hiding this comment.
thanks for adding this test
| c.Assert(err, ErrorMatches, `desktop file ".*" has an unsupported 'Exec' value: ""`) | ||
| } | ||
|
|
||
| func (s *privilegedDesktopLauncherInternalSuite) TestReadExecCOmmandFromDesktopFileMultipleDesktopEntrySections(c *C) { |
There was a problem hiding this comment.
thanks for this test too
| The desktop-launch interface allows a snap to launch other snaps via | ||
| the desktop files they provide to the host system. | ||
|
|
||
| systems: [-ubuntu-core-*] |
There was a problem hiding this comment.
could you add a comment that userd does not yet work properly enough on ubuntu core to be able to run this test there (fine for followup)?
| snap connections test-launcher | MATCH "desktop-launch +test-launcher:desktop-launch +:desktop-launch +manual" | ||
|
|
||
| echo "The launcher snap can launch other snaps via userd" | ||
| tests.session -u test exec test-launcher \ |
There was a problem hiding this comment.
does this need to be exec? I assume this is somehow related to user sessions?
There was a problem hiding this comment.
also should we be checking the output of this command with MATCH, since we are using --print-reply?
|
@AlanGriffiths @jhenstridge the last run of tests got stuck, anyway it seems something changed in master before the last master merge and now the spread test is failing and need adjusting/fixing, this probably needs again a master merge and fixes, sorry |
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
Co-authored-by: Ian Johnson <person.uwsome@gmail.com>
Add a new interface
desktop-launchthat allows shells to read.desktopfiles from/var/lib/snapd/desktop/applications/and callio.snapcraft.PrivilegedDesktopLauncher.OpenDesktopEntry.Add
io.snapcraft.PrivilegedDesktopLauncher.OpenDesktopEntrysupport touserdthat implements support for this on Classic systems.The result is that a confined desktop shell can identify other snaps and launch them with (for example) the
WAYLAND_DESKTOPenvironment variable needed for the client to connect to the correct desktop.Follows on from: