Make Tails Upgrader a native Wayland app
Originally created by @intrigeri on #14718 (Redmine)
Parent Task: #12213 (closed)
Statu quo
- !838 (merged) made the Upgrader run under XWayland
- Making the Upgrader GUI run as a native Wayland app, as the
amnesia
user, would have benefits - But if we do #18086, we won't need to do that.
Strategy
So let's see if we can cheaply make the Upgrader GUI run as amnesia
under Wayland.
This might be doable since all privileged operations it does already live in dedicated commands, run via sudo, which is quite close to what we would expect from a privileged backend API.
Draft design
- privileged backend, similar to tca-portal:
- exposes an API for the operations currently done via
sudo
- Current architecture: see "Privilege separation" in https://tails.boum.org/contribute/design/incremental_upgrades/, possibly a bit outdated but gives a good overview.
- Current implementation: https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade`
- It could run the existing commands and pass the result to the frontend ⇒ could be implemented in Python, like
tca-portal
.
- listens on a Unix domain socket which is only accessible by root
- exposes an API for the operations currently done via
- privileged wrapper for the frontend
- is started by
/usr/local/bin/tails-upgrade-frontend-wrapper
, which itself is started bytails-upgrade-frontend.service
- written in Python
- runs as root
- the amnesia user is allowed to run it as root
- connects to the backend's socket, then starts the frontend as the amnesia user, passing it that file descriptor
- is started by
- frontend:
- runs as the amnesia user
- how to migrate the current code: replace every
sudo PROGRAM
with the corresponding API call to the backend - Perl
- still uses Zenity: let's not invest more than necessary into this custom Upgrader
- privileged commands run by the backend
- no change needed there
- Perl
- porting the current iuk test suite:
- has to start the privileged backend with a bunch of
--override_*
option, just like it currently starts the frontend - has to manage the life cycle of the backend: can be done with
systemd-run
, which is already used in that very test suite for nginx → no big problem
- has to start the privileged backend with a bunch of
Expected challenges
- Exposing download progress and speed in the GUI is tricky if we keep treating downloads as an operation that must run as non-amnesia: the backend would need to keep the frontend updated about this, as opposed to merely signaling completion.
- It's probably OK to run
tails-iuk-get-target-file
as theamnesia
user, without using the privileged backend, which would solve this problem. But it has to download to a location that's not writable by other apps running asamnesia
. How? Another file descriptor passed by the wrapper, and then we download to/proc/$FRONTEND_PID/fd/$FD_ID
?
- It's probably OK to run
Related issues
- Blocks #17068
Edited by intrigeri