Enterprise policies for snap users
Categories
(Firefox :: Enterprise Policies, defect)
Tracking
()
People
(Reporter: olivier, Assigned: olivier)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-esr78+
|
Details | Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
The snap package for Firefox currently ships with a policies.json file in distribution/ that disables app updates (https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-snap/policies.json).
This works well for the purpose of disabling app updates, but as snaps are read-only file-systems, this means that no-one (not even a sysadmin) can modify that policies.json file to manage enterprise policies.
I can see two possible approaches to address this problem:
-
In an unconfined environment, firefox will look for policies in /etc/firefox/policies/policies.json. A snapped application normally can't see that location on the host, but the system-files interface (https://snapcraft.io/docs/system-files-interface) can help with this. This would have the benefit that existing policies would become available to the snap, without any intervention on the sysadmin's part.
-
The snap packaging can define a layout to symlink $SNAP/distribution/policies.json to a writable location, e.g. $SNAP_DATA/policies.json ($SNAP_DATA typically resolves to /var/snap/firefox/current). $SNAP_DATA is read-only for normal users, but sysadmins can write to it, making it a suitable location for enterprise policies. For existing deployments, this would require a one-off relocation of existing policies from /etc/firefox/policies/policies.json to /var/snap/firefox/current/policies.json.
With either approach, app updates should be disabled in a different way (not using a policy).
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•3 years ago
|
||
We do have a better way to disable updates for the snap now (because we've been disabling for other packaged formats).
We definitely should do 1 because it would be weird if the Snap bypassed machine policy.
Assignee | ||
Comment 3•3 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #2)
We do have a better way to disable updates for the snap now (because we've been disabling for other packaged formats).
Excellent, can you point me to that other mechanism to disable app updates? I'll change that together with adding the plug to allow reading from /etc/firefox/policies/.
Assignee | ||
Comment 4•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.
Beta/Release Uplift Approval Request
- User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.
- String changes made/needed:
Assignee | ||
Comment 7•3 years ago
|
||
Corresponding snap store request to auto-connect the interface: https://forum.snapcraft.io/t/auto-connecting-the-system-files-interface-for-the-firefox-snap/25103.
Comment 8•3 years ago
|
||
Backed out for causing snap failures.
-
backout: https://hg.mozilla.org/integration/autoland/rev/e140165d39d61c3735b9e6af6e9193fdff773829
-
failure logs:
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
There are some intermittent failures in the snap store at the moment, see https://status.snapcraft.io/, and this is what is causing builds to fail.
Not linked to the actual changes, those should be re-landed and builds retried when the snap store's status is back to normal.
Comment 10•3 years ago
|
||
Comment 11•3 years ago
|
||
Relanded the changes, since snapcraft looks to be ok: https://hg.mozilla.org/integration/autoland/rev/a2d65d785d3058f6e003ea77730da68195617a66
Comment 12•3 years ago
|
||
bugherder |
Comment 13•3 years ago
|
||
(In reply to Olivier Tilloy from comment #6)
- User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).
Given this is not a regression what's the reason to rush this into 90 late in the cycle?
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.
That works both ways, though...
Assignee | ||
Comment 14•3 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #13)
(In reply to Olivier Tilloy from comment #6)
- User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).
Given this is not a regression what's the reason to rush this into 90 late in the cycle?
Corporate users of the firefox snap have recently expressed interest in policies, hence my work on this, and I was hoping to enable them as soon as possible, otherwise they'd have to wait for another 4 weeks. It's not a terribly big deal if they have to, but given the low-risk and no-impact (on anything else than the snap package) effect of this change, I deemed it worth proposing even at this late stage. This is your call, either way will be fine. Thanks!
Assignee | ||
Comment 15•3 years ago
|
||
Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Corporate users of the firefox ESR snap have recently expressed interest in policies.
- User impact if declined: Users of the firefox ESR snap can't use enterprise policies (this is not a regression).
- Fix Landed on Version: 91
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.
- String or UUID changes made by this patch:
Comment 16•3 years ago
|
||
Thanks for the extra background. Let's aim to get this in 78.13 alongside 91.
Comment 17•3 years ago
|
||
Olivier:
See bug 1709978 for the Windows version.
Once this is checked in, I'm going to work on generalizing it for packaged apps (not just Windows) and we could use for Snap and Flatpak.
Then we don't have to use a build flag to turn off the updater.
Comment 18•3 years ago
|
||
Olivier, can you confirm this is working in the snap package for 91 beta?
Comment 19•3 years ago
|
||
Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.
approved for 78.13esr
Assignee | ||
Comment 20•3 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #18)
Olivier, can you confirm this is working in the snap package for 91 beta?
Tested with the firefox 91.0b2-1 snap from the beta channel (revision 563), and I can confirm this works as expected.
Comment 21•3 years ago
|
||
bugherder uplift |
Description
•