Closed Bug 1717216 Opened 11 months ago Closed 11 months ago

Enterprise policies for snap users

Categories

(Firefox :: Enterprise Policies, defect)

Firefox 89
defect

Tracking

()

RESOLVED FIXED
91 Branch
Tracking Status
firefox-esr78 91+ fixed
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- fixed

People

(Reporter: olivier, Assigned: olivier)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

The snap package for Firefox currently ships with a policies.json file in distribution/ that disables app updates (https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-snap/policies.json).
This works well for the purpose of disabling app updates, but as snaps are read-only file-systems, this means that no-one (not even a sysadmin) can modify that policies.json file to manage enterprise policies.

I can see two possible approaches to address this problem:

  1. In an unconfined environment, firefox will look for policies in /etc/firefox/policies/policies.json. A snapped application normally can't see that location on the host, but the system-files interface (https://snapcraft.io/docs/system-files-interface) can help with this. This would have the benefit that existing policies would become available to the snap, without any intervention on the sysadmin's part.

  2. The snap packaging can define a layout to symlink $SNAP/distribution/policies.json to a writable location, e.g. $SNAP_DATA/policies.json ($SNAP_DATA typically resolves to /var/snap/firefox/current). $SNAP_DATA is read-only for normal users, but sysadmins can write to it, making it a suitable location for enterprise policies. For existing deployments, this would require a one-off relocation of existing policies from /etc/firefox/policies/policies.json to /var/snap/firefox/current/policies.json.

With either approach, app updates should be disabled in a different way (not using a policy).

The Bugbug bot thinks this bug should belong to the 'Firefox::Enterprise Policies' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Enterprise Policies
Blocks: snap

We do have a better way to disable updates for the snap now (because we've been disabling for other packaged formats).

We definitely should do 1 because it would be weird if the Snap bypassed machine policy.

(In reply to Mike Kaply [:mkaply] from comment #2)

We do have a better way to disable updates for the snap now (because we've been disabling for other packaged formats).

Excellent, can you point me to that other mechanism to disable app updates? I'll change that together with adding the plug to allow reading from /etc/firefox/policies/.

Flags: needinfo?(mozilla)
Assignee: nobody → olivier
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/7e61366c64c5
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/. r=mkaply DONTBUILD

Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.

Beta/Release Uplift Approval Request

  • User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.
  • String changes made/needed:
Attachment #9228192 - Flags: approval-mozilla-beta?

Corresponding snap store request to auto-connect the interface: https://forum.snapcraft.io/t/auto-connecting-the-system-files-interface-for-the-firefox-snap/25103.

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

There are some intermittent failures in the snap store at the moment, see https://status.snapcraft.io/, and this is what is causing builds to fail.
Not linked to the actual changes, those should be re-landed and builds retried when the snap store's status is back to normal.

Flags: needinfo?(olivier)
Pushed by malexandru@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a2d65d785d30
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/. r=mkaply DONTBUILD
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

(In reply to Olivier Tilloy from comment #6)

  • User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).

Given this is not a regression what's the reason to rush this into 90 late in the cycle?

  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.

That works both ways, though...

Flags: needinfo?(olivier)

(In reply to Julien Cristau [:jcristau] from comment #13)

(In reply to Olivier Tilloy from comment #6)

  • User impact if declined: Users of the firefox snap can't use enterprise policies (this is not a regression).

Given this is not a regression what's the reason to rush this into 90 late in the cycle?

Corporate users of the firefox snap have recently expressed interest in policies, hence my work on this, and I was hoping to enable them as soon as possible, otherwise they'd have to wait for another 4 weeks. It's not a terribly big deal if they have to, but given the low-risk and no-impact (on anything else than the snap package) effect of this change, I deemed it worth proposing even at this late stage. This is your call, either way will be fine. Thanks!

Flags: needinfo?(olivier)

Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Corporate users of the firefox ESR snap have recently expressed interest in policies.
  • User impact if declined: Users of the firefox ESR snap can't use enterprise policies (this is not a regression).
  • Fix Landed on Version: 91
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Only affects the snap package.
  • String or UUID changes made by this patch:
Attachment #9228192 - Flags: approval-mozilla-beta? → approval-mozilla-esr78?

Thanks for the extra background. Let's aim to get this in 78.13 alongside 91.

Olivier:

See bug 1709978 for the Windows version.

Once this is checked in, I'm going to work on generalizing it for packaged apps (not just Windows) and we could use for Snap and Flatpak.

Then we don't have to use a build flag to turn off the updater.

Flags: needinfo?(mozilla)

Olivier, can you confirm this is working in the snap package for 91 beta?

Flags: needinfo?(olivier)

Comment on attachment 9228192 [details]
WIP: Bug 1717216 - allow the snap package to read policies in /etc/firefox/policies/.

approved for 78.13esr

Attachment #9228192 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

(In reply to Julien Cristau [:jcristau] from comment #18)

Olivier, can you confirm this is working in the snap package for 91 beta?

Tested with the firefox 91.0b2-1 snap from the beta channel (revision 563), and I can confirm this works as expected.

Flags: needinfo?(olivier)
You need to log in before you can comment on or make changes to this bug.