snap: Use strict confinement

contrib/snap/fwupd-command

@@ -4,6 +4,8 @@ export XDG_CACHE_HOME=$SNAP_USER_COMMON/.cache
 mkdir -p $XDG_CACHE_HOME
 export GIO_MODULE_DIR=$XDG_CACHE_HOME/gio-modules
 export XDG_DATA_DIRS="$SNAP/usr/share"
+export FWUPD_LOCKDIR=/run/lock/snap.fwupd
+export FWUPD_POLKIT_NOCHECK=1
 
 #determine architecture
 if [ "$SNAP_ARCH" = "amd64" ]; then

contrib/snap/fwupdmgr.wrapper

@@ -1,2 +1,3 @@
 #!/bin/sh
+export FWUPD_POLKIT_NOCHECK=1
 exec "$SNAP/fwupd-command" $SNAP/bin/fwupdmgr $@

snap/hooks/install

@@ -1,27 +0,0 @@
-#!/bin/sh -e
-
-install_if_missing() {
-	directory=$(dirname ${2}/${1})
-	if [ "$2" != "/" ]; then
-		mkdir -p $directory
-	fi
-	if [ -d $directory ]; then
-		install -m 644 -C ${SNAP}/${1} ${2}/${1}
-	fi
-}
-
-#install policykit rules and actions
-install_if_missing share/polkit-1/actions/org.freedesktop.fwupd.policy /usr
-install_if_missing share/polkit-1/rules.d/org.freedesktop.fwupd.rules /usr
-#install dbus related items
-install_if_missing share/dbus-1/system-services/org.freedesktop.fwupd.service /usr
-install_if_missing share/dbus-1/system.d/org.freedesktop.fwupd.conf /usr
-#activation via systemd
-install_if_missing etc/systemd/system/fwupd-activate.service /
-systemctl daemon-reload
-systemctl enable fwupd-activate
-systemctl start fwupd-activate
-#kernel modules
-install_if_missing usr/lib/modules-load.d/fwupd-msr.conf /
-#optional grub configuration
-install_if_missing etc/grub.d/35_fwupd /

snap/hooks/remove

@@ -1,11 +0,0 @@
-#!/bin/sh -e
-
-#activation via systemd
-systemctl stop fwupd-activate
-systemctl disable fwupd-activate
-rm /etc/systemd/system/fwupd-activate.service -f
-systemctl daemon-reload
-#msr module
-rm /usr/lib/modules-load.d/fwupd-msr.conf -f
-#optional grub configuration
-rm /etc/grub.d/35_fwupd -f

snap/snapcraft.yaml

@@ -6,30 +6,56 @@ description: |
   not yet supported by the version of fwupd distributed with the OS.
 
 grade: stable
-confinement: classic
+confinement: strict
 base: core22
 
 architectures:
   - amd64
 
+slots:
+  fwupd:
+    interface: fwupd
+  fwupd-dbus:
+    interface: dbus
+    bus: system
+    name: org.freedesktop.fwupd
+
+plugs:
+  fwupdmgr:
+    interface: fwupd
+  polkit:
+    interface: polkit
+    action-prefix: org.freedesktop.fwupd
+
 apps:
   dfu-tool:
     command: dfu-tool.wrapper
+    plugs: [fwupdmgr, network]
   dbxtool:
     command: dbxtool.wrapper
+    plugs: [fwupdmgr, network]
   fwupdtool:
     command: fwupdtool.wrapper
+    plugs: [bluez, udisks2, modem-manager, upower-observe, network, hardware-observe]
+    slots: [fwupd]
     completer:
       share/bash-completion/completions/fwupdtool
   fwupd:
     command: fwupd.wrapper
-    daemon: simple
+    daemon: dbus
+    slots: [fwupd]
+    plugs: [bluez, udisks2, modem-manager, upower-observe, polkit, network, hardware-observe]
+    daemon-scope: system
+    activates-on:
+      - fwupd-dbus
   fwupdmgr:
     command: fwupdmgr.wrapper
+    plugs: [fwupdmgr, network, polkit]
     completer:
       share/bash-completion/completions/fwupdmgr
   fwupdagent:
     command: fwupdagent.wrapper
+    plugs: [fwupdmgr, network]
 
 parts:
   #needed for UEFI plugin to build UX labels
@@ -43,6 +69,16 @@ parts:
       - -etc
       - -usr
       - -var
+
+  pkttyagent:
+    plugin: nil
+    stage-packages:
+      - polkitd
+      - libpolkit-agent-1-0
+    prime:
+      - usr/bin/pkttyagent
+      - usr/lib/*/libpolkit-agent-1.so*
+
   fwupd:
     plugin: meson
     meson-parameters: [--prefix=/,
@@ -255,3 +291,12 @@ parts:
     - fwupd.wrapper
     - fwupdmgr.wrapper
     - fwupdagent.wrapper
+
+  policy:
+    plugin: nil
+    after:
+      - fwupd
+    override-build: |
+      mkdir -p "${CRAFT_PART_INSTALL}/meta/polkit/polkit.fwupd/"
+      cp "${CRAFT_STAGE}/share/polkit-1/actions/org.freedesktop.fwupd.policy" \
+         "${CRAFT_PART_INSTALL}/meta/polkit/polkit.org.freedesktop.fwupd.policy"