review-tools

Merge ~emitorino/review-tools:sec_mode_overrides_for_skype into review-tools:master

  1. Git
  2. lp:~emitorino/review-tools
  3. sec_mode_overrides_for_skype
  4. Merge into master
Proposed by Emilia Torino
Status: Merged
Merged at revision: 1b72a1ea09394af2d823a7367580b3a12fa6007b
Proposed branch: ~emitorino/review-tools:sec_mode_overrides_for_skype
Merge into: review-tools:master
Diff against target: 12 lines (+1/-0)
1 file modified
reviewtools/overrides.py (+1/-0)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Samuele Pedroni Pending
Review via email: mp+397869@code.launchpad.net

Commit message

- overrides.py: Adding skype to sec_mode_overrides

Description of the change

skype is moving to strict and found issues with confinement on non Ubuntu. Latest revision of skype fails with:

'found errors in file output: unusual mode 'r-sr-xr-x' for entry './usr/share/skypeforlinux/chrome-sandbox' security-snap-v2_squashfs_files'.

Since the linked bug https://bugs.launchpad.net/snapd/+bug/1914786 is still open for discussion, with the snapd team we agreed we could add an override to the review-tools as an interim step before we can work with the required upstream updates (if even possible).

This is the output of the review-tools including this change:

$ review-tools.snap-review /home/emitorino/snap/review-tools/common/QRDEfjn4WJYnm0FzDKwqqRZZI77awQEV_163.snap
Errors
------
 - declaration-snap-v2:plugs_connection:browser-sandbox:browser-support
 human review required due to 'deny-connection' constraint (interface attributes). If using a chromium webview, you can disable the internal sandbox (eg, use --no-sandbox) and remove the 'allow-sandbox' attribute instead. For QtWebEngine webviews, export QTWEBENGINE_DISABLE_SANDBOX=1 to disable its internal sandbox.
 - lint-snap-v2:external_symlinks
 package contains external symlinks: usr/bin/xdg-email
/home/emitorino/snap/review-tools/common/QRDEfjn4WJYnm0FzDKwqqRZZI77awQEV_163.snap: FAIL

So if noted:
1) it is my understanding that we will then need to issue a snap declaration for the snap for allow-sandbox: true. pedronis could you please confirm? I have not done this yet and don't have instructions on how to do it, but I assume its and advanced declaration (json free format on the store UI)
2) There is yet another issue with symlinks: usr/bin/xdg-email, which after discussing it with cjp256 and checked this bug info: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1849774 we decided to also manually accept it. cjp256 did some local tests and confirmed it works. pedronis should we also add an override for skype to https://git.launchpad.net/review-tools/tree/reviewtools/overrides.py#n1259?

To post a comment you must log in.
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks Emi, LGTM!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/reviewtools/overrides.py b/reviewtools/overrides.py
2index 770099a..6750be7 100644
3--- a/reviewtools/overrides.py
4+++ b/reviewtools/overrides.py
5@@ -335,6 +335,7 @@ sec_mode_overrides = {
6 "./usr/lib/x86_64-linux-gnu/opera-developer/opera_sandbox": "rwsr-xr-x"
7 },
8 "snapd": {"./usr/lib/snapd/snap-confine": ["rwsr-sr-x", "rwsr-xr-x"]},
9+ "skype": {"./usr/share/skypeforlinux/chrome-sandbox": "r-sr-xr-x"},
10 "test-snapd-core18": {
11 "./bin/mount": "rwsr-xr-x",
12 "./bin/ping": "rwsr-xr-x",

Subscribers

People subscribed via source and target branches