Skip to content

feature: Support for snapped versions of Firefox and Chromium#335

Open
vasilev wants to merge 1 commit intograysky2:masterfrom
vasilev:support_for_snap_Firefox_and_Chromium
Open

feature: Support for snapped versions of Firefox and Chromium#335
vasilev wants to merge 1 commit intograysky2:masterfrom
vasilev:support_for_snap_Firefox_and_Chromium

Conversation

@vasilev
Copy link
Copy Markdown

@vasilev vasilev commented Aug 8, 2022

In response to Canonical's high-pressure selling of Snapcraft.

Snap in brief

Snap applies auto-generated AppArmor profiles located in /var/lib/snapd/apparmor/profiles/. Profile template and data to populate the template.

These profiles restrict access to $XDG_RUNTIME_DIR (as reported in #247), and at the same time allow access to specific $XDG_RUNTIME_DIR's subdirectories, so $XDG_RUNTIME_DIR/snap.firefox/ is accessible to snapped Firefox, and $XDG_RUNTIME_DIR/snap.chromium/ is accessible to snapped Chromium.

Browser profiles are located in ~/snap/$SNAP_INSTANCE_NAME/common/ (~/snap/firefox/common/ and ~/snap/chromium/common/ respectively).

Possible solution

To comply with AppArmor restrictions mentioned above the in-memory part needs to be rerouted from the root of $VOLATILE to respective subdirectories of it.

Tested on Ubuntu 22.04.1 .

@vasilev
Copy link
Copy Markdown
Author

vasilev commented Aug 8, 2022

@graysky2, could you please take a look?

@vasilev vasilev marked this pull request as draft August 9, 2022 13:19
@vasilev
Copy link
Copy Markdown
Author

vasilev commented Aug 9, 2022

Converted to draft. Work in progress.

This solution needs more testing due to possible race conditions during system startup. PSD service may start before Snap-related services, so $XDG_RUNTIME_DIR/snap.$SNAP_INSTANCE_NAME/ directories may not exist at the time of PSD's startup phase.

Possible solutions (at the time being):

  1. Quick&Dirty: employ --mkpath Rsync option at some set of conditions.
  2. Fine-tune system service ordering and startup conditions.

@vasilev
Copy link
Copy Markdown
Author

vasilev commented Aug 16, 2022

As far as I can understand, the creation of $XDG_RUNTIME_DIR/snap.$SNAP_INSTANCE_NAME/ is disabled in current version of snap-confine. And that directory is created by some BASH script using mkdir -p, possibly initiated by dconf-service definitely at the time of the browser launch.
So to support the core PSD functionality a --mkpath approach is required.

Added --mkpath to initial sync.

This pull request is ready for review.

@vasilev vasilev marked this pull request as ready for review August 16, 2022 18:02
@vasilev vasilev force-pushed the support_for_snap_Firefox_and_Chromium branch from 91c1e61 to ec345b0 Compare August 30, 2022 17:59
@yutayu
Copy link
Copy Markdown

yutayu commented Sep 30, 2022

According to this article , https://gihyo.jp/admin/serial/01/ubuntu-recipe/0714
snap doesn't regcognize other than snap folder, so snap rejects folders like /dev/shm.
I made tmpfs profile folder in snap firefox folder and copy profile in it , and it works.

This is maybe hint.

@burner1024 burner1024 mentioned this pull request Oct 26, 2022
Closed
@vasilev vasilev mentioned this pull request Oct 3, 2023
Open
@vasilev
feature: Support for snapped versions of Firefox and Chromium.
d19bd02 
As AppArmor profiles allow access only to `$XDG_RUNTIME_DIR/snap.$SNAP_INSTANCE_NAME/`, re-routed profiles of snapped browsers exactly into respective `$XDG_RUNTIME_DIR/snap.$SNAP_INSTANCE_NAME/` subdirectories.
@vasilev vasilev force-pushed the support_for_snap_Firefox_and_Chromium branch from ec345b0 to d19bd02 Compare March 9, 2026 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vasilev @yutayu