Using xdg-open from snap

John Lenton john.lenton at canonical.com
Wed Sep 21 08:39:58 UTC 2016


Eloy, Spencer, Otfried,

The xdg-open we ship in /usr/local in the snap-core snap failing like
that is a bug; it seems we weren't covering this use case in our
tests.

jdstrand has now addressed this, and although with his fix right now
you'll need to ask for the unity7 interface it is expected to grow
into a more fine-grained interface at some point, it was put there to
unblock people (i.e. you). We expect this fix to be part of the 2.15
release, but it might slip to 2.16.

This is not the whole story, however. You'll also need the
snapd-xdg-open package (or a dbus service providing OpenURL on the
com.canonical.SafeLauncher interfacee) in your classic system. You can
install that in yakkety, or get it from -proposed for xenial
(https://launchpad.net/ubuntu/+source/snapd-xdg-open), or get the
source from https://github.com/snapcore/snapd-xdg-open. As soon as it
gets out of -proposed and into -updates we'll have snapd recommend it,
but this might not be ready for 2.15.

On 21 September 2016 at 08:18, Eloy García (PC Actual)
<eloy.garcia.pca at gmail.com> wrote:
> Hi all.
>
> I have the same problem in my snap java-based application. I use xdg-open
> command to launch the default browser so, it would be great a solution :)
>
> Best,
>
> Eloy
>
> 2016-09-20 15:46 GMT+02:00 Spencer Parkin <spencertparkin at gmail.com>:
>>
>> This is related to a question I had as well.  I have a program that uses
>> wxLaunchDefaultBrowser which, looking at its implementation, tries to make
>> the system call "exec()" to launch the default browser with a URL.
>>
>> If snap programs are not allowed to start other processes, that's fine;
>> but if enough people need to launch the default browser with a URL, then I'm
>> sure a secure solution just for this could somehow be implemented for snaps.
>>
>> I gather that one design goal of snaps, however, is the ability for people
>> to write programs for any environment, but also have them work as snaps so
>> that the programmer doesn't have to write snap-specific code, or make
>> snap-specific considerations in their code.  In other words, your code
>> should be "none-the-wiser" that it is running in the confined area.
>>
>> So with that in mind, I'm not sure how to solve the problem.  Any secure
>> API exposed to snap applications already breaks the above design goal.
>>
>> Of course, it's not unreasonable for my program to have "#ifdef WIN32" or
>> "#ifdef UNIX", and in the latter case, I may be looking to utilize something
>> in a standard unix environment which, I believe, is synthesized in Unbuntu
>> Core.  That's where I believe the snap environment can intercept what an
>> application is doing and provide a secure solution, and this may be the
>> "xdg-open" thing Otfried was talking about.
>>
>>
>> On Mon, Sep 19, 2016 at 2:37 AM, Otfried Cheong <otfried at ipe.airpost.net>
>> wrote:
>>>
>>> Hello,
>>>
>>> my app has a manual in html.  I normally show this using "xdg-open
>>> <url>", but from the snap this results in "xdg-open: Permission denied",
>>> leaving this log:
>>>
>>> [21249.231634] audit: type=1400 audit(1474273861.873:383):
>>> apparmor="DENIED" operation="exec" profile="snap.ipe.sh"
>>> name="/usr/local/bin/xdg-open" pid=9551 comm="sh" requested_mask="x"
>>> denied_mask="x" fsuid=1000 ouid=0
>>>
>>> According to
>>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001048.html
>>> this should work.
>>> I did refresh ubuntu-core from the beta channel and currently have
>>> revision 636 of ubuntu-core.
>>>
>>>
>>> Slightly related:  If I understand
>>> https://lists.ubuntu.com/archives/snapcraft/2016-September/001118.html
>>> correctly, the host filesystem should be exposed to the snap as
>>> /var/lib/snapd/hostfs in devmode?    It isn't on my system.
>>>
>>> Cheers,
>>>  Otfried
>>>
>>>
>>> --
>>> Snapcraft mailing list
>>> Snapcraft at lists.snapcraft.io
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>>
>>
>>
>> --
>> Snapcraft mailing list
>> Snapcraft at lists.snapcraft.io
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>>
>
>
>
> --
> Eloy García Almadén
>
> --
> Snapcraft mailing list
> Snapcraft at lists.snapcraft.io
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/snapcraft
>




More information about the Snapcraft mailing list