Executing a script inside snap package. Is this possible?

Mon Apr 17 14:13:52 UTC 2017

On Sun, 2017-04-16 at 21:06 -0400, Michael Hall wrote:
> Running a script inside of your snap with either /bin/sh or /bin/bash
> should be no problem at all. However looking at your script I see that
> you're making dbus calls out to the Plasma Shell, and that *will* be
> blocked by the strict confinement.
> 
> You will probably need to get a snapd interface created to support this
> dbus interface, or maybe you can use the generic 'dbus' interface and
> specify this service, which would have to be manuall connected. I'm
> hoping someone from the snapd or security teams can chime in and be more
> specific about what your options are here.
> 
It looks like your script is using qdbus to tell the PlasmaShell to run a script
for changing the wallpaper to something your snap specifies. Assuming your snap
ships qdbus, then the 'only' thing that would be required would be to add a
snappy interface to allow access to this dbus call.

A few things things:

1. today we have the 'unity7' interface for use on classic distributions. We'll 
   be introducing gnome and plasma interfaces for running snaps under those DEs
2. it looks like your qdbus command is sending a script over for PlasmaShell to 
   execute. Since plasma shell runs the script in the context of plasma (ie, 
   unconfined), this would allow breaking out of application confinement. If 
   this snappy interface was added, it would be considered a privileged 
   interface
3. is there another wallpaper API or standard KDE command line utility that can 
   be used instead of plasmashell that doesn't allow breaking out of 
   confinement? If so, I recommend using that instead-- then perhaps we can add 
   a 'desktop-wallpaper' interface.

For now, feel free to use 'confinement: devmode' in your snap and please file a
bug (with the 'snapd-interface' tag) here to request your interface addition:

https://bugs.launchpad.net/snapd/+filebug

> Michael Hall
> mhall119 at ubuntu.com
> 
> On 04/16/2017 05:13 PM, Eloy García (PC Actual) wrote:
> > Hello everybody.
> > 
> > I develop a graphical java-based application which is published in the
> > Ubuntu Store as a snap package (sctrict confinment) called
> > wallpaperdownloader to download, manage and set desktop wallpapers.
> > 
> > I'm developing version 2.7 which will bring KDE support, but for this I
> > need to execute a shell script from Java. In classic confinement and
> > natively, this script is executed without problems. I use this code to do
> > it:
> > 
> > process = Runtime.getRuntime().exec("/bin/sh " + WDUtilities.getAppPath() +
> > WDUtilities.URL_SLASH + WDUtilities.PLASMA_SCRIPT + " " +  wallpaperPath);
> > 
> > As you can see, I use /bin/sh command to run the script. This is the
> > content of the script:
> > 
> > #!/bin/bash
> > 
> > # Changing wallpaper
> > qdbus org.kde.plasmashell /PlasmaShell
> > org.kde.PlasmaShell.evaluateScript
> > "var allDesktops = desktops();print (allDesktops);for
> > (i=0;i<allDesktops.length;i++) {d =
> > allDesktops[i];d.wallpaperPlugin = 'org.kde.image';d.currentConfigGroup =
> > Array('Wallpaper', 'org.kde.image', 'General');d.writeConfig('Image',
> > 'file://"$1"')}"
> > 
> > This command changes the current wallpaper for version 5.8 or higher in
> > Plasma.
> > 
> > When this part is executed within the snap package (strict confinement),
> > nothing happens. I have tried to include bash and dash pacakges as
> > stage-packages but it doesn work. Is this something that can be achieved
> > using the snap package system?
> > 
> > Thank you very much!
> > 
> > Best,
> > 
> > Eloy
> > 
> 
> 
-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20170417/1e7c5c4e/attachment.sig>