From 0830bfe2f009936c6d835b2be8bd124b04f3c7c7 Mon Sep 17 00:00:00 2001
From: Valentin David <valentin.david@canonical.com>
Date: Thu, 22 Sep 2022 12:14:06 +0200
Subject: [PATCH] snap: Use strict confinement

---
 contrib/snap/fwupd-command    |  2 ++
 contrib/snap/fwupdmgr.wrapper |  1 +
 snap/hooks/install            | 27 -------------------
 snap/hooks/remove             | 11 --------
 snap/snapcraft.yaml           | 49 +++++++++++++++++++++++++++++++++--
 5 files changed, 50 insertions(+), 40 deletions(-)
 delete mode 100755 snap/hooks/install
 delete mode 100755 snap/hooks/remove

diff --git a/contrib/snap/fwupd-command b/contrib/snap/fwupd-command
index 8afd87a44..54157b078 100755
--- a/contrib/snap/fwupd-command
+++ b/contrib/snap/fwupd-command
@@ -4,6 +4,8 @@ export XDG_CACHE_HOME=$SNAP_USER_COMMON/.cache
 mkdir -p $XDG_CACHE_HOME
 export GIO_MODULE_DIR=$XDG_CACHE_HOME/gio-modules
 export XDG_DATA_DIRS="$SNAP/usr/share"
+export FWUPD_LOCKDIR=/run/lock/snap.fwupd
+export FWUPD_POLKIT_NOCHECK=1
 
 #determine architecture
 if [ "$SNAP_ARCH" = "amd64" ]; then
diff --git a/contrib/snap/fwupdmgr.wrapper b/contrib/snap/fwupdmgr.wrapper
index a7488263e..595e216a6 100755
--- a/contrib/snap/fwupdmgr.wrapper
+++ b/contrib/snap/fwupdmgr.wrapper
@@ -1,2 +1,3 @@
 #!/bin/sh
+export FWUPD_POLKIT_NOCHECK=1
 exec "$SNAP/fwupd-command" $SNAP/bin/fwupdmgr $@
diff --git a/snap/hooks/install b/snap/hooks/install
deleted file mode 100755
index bad2d6520..000000000
--- a/snap/hooks/install
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh -e
-
-install_if_missing() {
-	directory=$(dirname ${2}/${1})
-	if [ "$2" != "/" ]; then
-		mkdir -p $directory
-	fi
-	if [ -d $directory ]; then
-		install -m 644 -C ${SNAP}/${1} ${2}/${1}
-	fi
-}
-
-#install policykit rules and actions
-install_if_missing share/polkit-1/actions/org.freedesktop.fwupd.policy /usr
-install_if_missing share/polkit-1/rules.d/org.freedesktop.fwupd.rules /usr
-#install dbus related items
-install_if_missing share/dbus-1/system-services/org.freedesktop.fwupd.service /usr
-install_if_missing share/dbus-1/system.d/org.freedesktop.fwupd.conf /usr
-#activation via systemd
-install_if_missing etc/systemd/system/fwupd-activate.service /
-systemctl daemon-reload
-systemctl enable fwupd-activate
-systemctl start fwupd-activate
-#kernel modules
-install_if_missing usr/lib/modules-load.d/fwupd-msr.conf /
-#optional grub configuration
-install_if_missing etc/grub.d/35_fwupd /
diff --git a/snap/hooks/remove b/snap/hooks/remove
deleted file mode 100755
index 31cd91d1a..000000000
--- a/snap/hooks/remove
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh -e
-
-#activation via systemd
-systemctl stop fwupd-activate
-systemctl disable fwupd-activate
-rm /etc/systemd/system/fwupd-activate.service -f
-systemctl daemon-reload
-#msr module
-rm /usr/lib/modules-load.d/fwupd-msr.conf -f
-#optional grub configuration
-rm /etc/grub.d/35_fwupd -f
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
index 56c8a1067..f7db6567e 100644
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -6,30 +6,56 @@ description: |
   not yet supported by the version of fwupd distributed with the OS.
 
 grade: stable
-confinement: classic
+confinement: strict
 base: core22
 
 architectures:
   - amd64
 
+slots:
+  fwupd:
+    interface: fwupd
+  fwupd-dbus:
+    interface: dbus
+    bus: system
+    name: org.freedesktop.fwupd
+
+plugs:
+  fwupdmgr:
+    interface: fwupd
+  polkit:
+    interface: polkit
+    action-prefix: org.freedesktop.fwupd
+
 apps:
   dfu-tool:
     command: dfu-tool.wrapper
+    plugs: [fwupdmgr, network]
   dbxtool:
     command: dbxtool.wrapper
+    plugs: [fwupdmgr, network]
   fwupdtool:
     command: fwupdtool.wrapper
+    plugs: [bluez, udisks2, modem-manager, upower-observe, network, hardware-observe]
+    slots: [fwupd]
     completer:
       share/bash-completion/completions/fwupdtool
   fwupd:
     command: fwupd.wrapper
-    daemon: simple
+    daemon: dbus
+    slots: [fwupd]
+    plugs: [bluez, udisks2, modem-manager, upower-observe, polkit, network, hardware-observe]
+    daemon-scope: system
+    activates-on:
+      - fwupd-dbus
   fwupdmgr:
     command: fwupdmgr.wrapper
+    plugs: [fwupdmgr, network, polkit]
     completer:
       share/bash-completion/completions/fwupdmgr
   fwupdagent:
     command: fwupdagent.wrapper
+    plugs: [fwupdmgr, network]
 
 parts:
   #needed for UEFI plugin to build UX labels
@@ -43,6 +69,16 @@ parts:
       - -etc
       - -usr
       - -var
+
+  pkttyagent:
+    plugin: nil
+    stage-packages:
+      - polkitd
+      - libpolkit-agent-1-0
+    prime:
+      - usr/bin/pkttyagent
+      - usr/lib/*/libpolkit-agent-1.so*
+
   fwupd:
     plugin: meson
     meson-parameters: [--prefix=/,
@@ -255,3 +291,12 @@ parts:
     - fwupd.wrapper
     - fwupdmgr.wrapper
     - fwupdagent.wrapper
+
+  policy:
+    plugin: nil
+    after:
+      - fwupd
+    override-build: |
+      mkdir -p "${CRAFT_PART_INSTALL}/meta/polkit/polkit.fwupd/"
+      cp "${CRAFT_STAGE}/share/polkit-1/actions/org.freedesktop.fwupd.policy" \
+         "${CRAFT_PART_INSTALL}/meta/polkit/polkit.org.freedesktop.fwupd.policy"