several fixes for riseupvpn snap

- move snap folder to root folder, to allow automated builds
- install only polkit file outside of snap
- change path of bitmask-root accordingly in bitmask
- fix check for polkit file inside snap
- change and document the algorithm for picking bitmask-root in linux
- add LD_LIBRARY_PATH as an environment entry for bitmask-systray

20 files changed, 254 insertions, 156 deletions

diff --git a/.gitignore b/.gitignore
index fc1463e4..9fa8da01 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,3 +56,11 @@ NOTES
 
 # temporary home folders for functional tests
 /tmp/
+
+# snaps
+parts
+prime
+stage
+*.snap
+*.tar.bz2
+snap/.snapcraft
diff --git a/Makefile b/Makefile
index f6895358..153d6130 100644
--- a/Makefile
+++ b/Makefile
@@ -119,6 +119,13 @@ bundle_in_docker_virtualenv:
 	cp -r bitmaskbuild/$(DIST_VERSION) dist/
 	rm -rf bitmaskbuild
 
+snap_in_docker:
+	cd pkg/riseupvpn && ./pack_installers && cd ..
+	sudo docker run -v $(PWD):$(PWD) -w $(PWD) snapcore/snapcraft snapcraft
+
+snap_clean:
+	sudo rm -rf stage prime parts
+
 upload:
 	python setup.py sdist bdist_wheel --universal upload --sign -i kali@leap.se -r pypi
 
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 04778592..de4c7f94 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -5,6 +5,15 @@ Changelog
 -------------------------------
 .. note:: This version is not yet released and is under active development.
 
+Misc
+~~~~
+- Fix snap bug in install hook when python2 was not installed.
+- Install only the polkit file outside of classic confinement snap.
+- Document algorithm for picking bitmask-root.
+- Use LD_LIBRARY_PATH for bitmask_systray in RiseupVPN snap (makes snap run fine in bionic).
+- Move snap folder to topmost folder.
+
+
 0.10.5
 -------------------------------
 
diff --git a/pkg/riseupvpn/Makefile b/pkg/riseupvpn/Makefile
index 58079cc6..6c0e5855 100644
--- a/pkg/riseupvpn/Makefile
+++ b/pkg/riseupvpn/Makefile
@@ -3,13 +3,13 @@
 # We have to use classic confinement because it does not seem to be another way, at the moment,
 # to use policykit.
 
-build: helpers
-	# for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html
-	sudo snapcraft cleanbuild
 helpers:
 	./pack_installers
+build: helpers
+	# for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html
+	cd ../.. && sudo snapcraft cleanbuild
 install:
-	sudo snap install riseup-vpn_*.snap --dangerous --classic
+	cd ../.. && sudo snap install riseup-vpn_*.snap --dangerous --classic
 uninstall:
 	sudo snap remove riseup-vpn
 deps:
diff --git a/pkg/riseupvpn/README.rst b/pkg/riseupvpn/README.rst
index 085ffe39..29ced8f9 100644
--- a/pkg/riseupvpn/README.rst
+++ b/pkg/riseupvpn/README.rst
@@ -12,21 +12,25 @@ minimalistic systray written in golang https://0xacab.org/leap/bitmask-systray
 that makes use of libappindicator for displaying notifications.
 
 Currently, RiseupVPN is distributed as a snap package. It uses classic
-confinement because it needs to install bitmask-root in the system, and a
-polkit policy file so that bitmask-root and openvpn can be executed without
-asking user for permission each time.
+confinement because it needs to install a polkit policy file so that
+bitmask-root and openvpn can be executed without asking user for permission
+each time.
 
 Usage
 -----
 
-Until the snap package gets approved in the snap store, you can use the snap as follows::
+You can get the snap from the store::
 
- wget https://downloads.leap.se/RiseupVPN/linux/riseup-vpn_0.10.4_amd64.snap
  sudo apt install snapd
- sudo snap install riseup-vpn_0.10.4_amd64.snap --dangerous --classic
+ sudo snap install riseup-vpn --classic
 
-That should have made a new application called RiseupVPN in your launchers.
-You can also launch it manually like this::
+If you want to build the local snap::
+
+ make build
+ sudo snap install riseup-vpn_*.snap --classic
+
+That should have added a new application called RiseupVPN in your desktop
+launchers. You can also launch it manually like this::
 
  /snap/bin/riseup-vpn.launcher
 
diff --git a/pkg/riseupvpn/pack_installers b/pkg/riseupvpn/pack_installers
index eb3a08bb..629e4157 100755
--- a/pkg/riseupvpn/pack_installers
+++ b/pkg/riseupvpn/pack_installers
@@ -1,37 +1,27 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import os
 import subprocess
 from base64 import encodestring as encode
 HELPDIR = '../../src/leap/bitmask/vpn/helpers/linux/'
-INSTALL = './snap/hooks/install'
+INSTALL = '../../snap/hooks/install'
+POLKIT_FILE = 'se.leap.bitmask.riseupvpn.policy'
 
-with open(os.path.join(HELPDIR, 'bitmask-root')) as bmroot:
-    b64_bmroot = encode(bmroot.read())
-
-with open(os.path.join(HELPDIR, 'se.leap.bitmask.bundle.policy')) as polkit:
-    b64_polkit = encode(polkit.read())
+with open(os.path.join(HELPDIR, POLKIT_FILE)) as polkit:
+    b64_polkit = encode(polkit.read().encode())
 
 with open(INSTALL, 'w') as install:
-    install.write('#!/usr/bin/env python\n')
+    install.write('#!/usr/bin/env python3\n')
     install.write('# This helper installs bitmask-root and polkit policy file\n')
     install.write('import subprocess\n')
     install.write('from base64 import decodestring as decode\n')
     install.write("""
-BMROOT = \"\"\"{bmroot}\"\"\"
-POLKIT = \"\"\"{polkit}\"\"\"
-BMROOT_DEST = "/usr/local/sbin/bitmask-root"
-with open(BMROOT_DEST, "w") as bmroot:
-    lines = str(decode(BMROOT)).split("\\n")
-    for i, line in enumerate(lines):
-        bmroot.write(line)
-        if i + 1 != len(lines):
-            bmroot.write("\\n")
-with open('/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy', 'w') as polkit:
-    lines = str(decode(POLKIT)).split("\\n")
+POLKIT = {polkit}
+
+with open('/usr/share/polkit-1/actions/{polkit_file}', 'w') as polkit:
+    lines = decode(POLKIT).split(b"\\n")
     for line in lines:
-        polkit.write(line + "\\n")
-""".format(bmroot=b64_bmroot, polkit=b64_polkit))
-    install.write('subprocess.Popen(["chmod", "+x", BMROOT_DEST])\n')
+        polkit.write(line.decode() + "\\n")
+""".format(polkit=b64_polkit, polkit_file=POLKIT_FILE))
 
 subprocess.Popen(["chmod", "+x", INSTALL])
 print("done packing installers into the snap install hook...")
diff --git a/pkg/riseupvpn/snap/.snapcraft/state b/pkg/riseupvpn/snap/.snapcraft/state
deleted file mode 100644
index 34977889..00000000
--- a/pkg/riseupvpn/snap/.snapcraft/state
+++ /dev/null
@@ -1,3 +0,0 @@
-!GlobalState
-assets:
-  build-packages: []
diff --git a/pkg/riseupvpn/snap/hooks/remove b/pkg/riseupvpn/snap/hooks/remove
deleted file mode 100755
index c7442a26..00000000
--- a/pkg/riseupvpn/snap/hooks/remove
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-echo "Executing remove hook for RiseupVPN"
-rm "/usr/local/sbin/bitmask-root"
-rm "/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy"
-echo "done"
diff --git a/pkg/riseupvpn/snap/snapcraft.yaml b/pkg/riseupvpn/snap/snapcraft.yaml
deleted file mode 100644
index 064a48ae..00000000
--- a/pkg/riseupvpn/snap/snapcraft.yaml
+++ /dev/null
@@ -1,94 +0,0 @@
-name: riseup-vpn
-version: '0.10.4'
-epoch: 0
-summary: RiseupVPN, anonymous VPN. Powered by Bitmask.
-description: |
-        RiseupVPN is an easy, fast, and secure VPN service from riseup.net.
-        RiseupVPN does not require a user account, keep logs, or track you in
-        any way. The service is paid for entirely by donations from users like
-        you.
-
-grade: stable # must be 'stable' to release into candidate/stable channels. switch to devel in snap branch.
-confinement: classic
-icon: snap/gui/riseupvpn.svg
-
-parts:
-         
-        bitmask:
-                plugin: python
-                python-version: python2
-                source-branch: master
-                source: https://0xacab.org/leap/bitmask-dev.git
-                requirements: pkg/requirements-vpn.pip
-                stage-packages:
-                        # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684
-                        - python2.7-dev
-                        - libsqlcipher-dev
-                        - libffi-dev
-                        - libsqlite3-dev
-                        - libzmq3-dev
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-        openvpn:
-                plugin: nil
-                stage-packages:
-                        - openvpn
-                prime:
-                    - -usr/share/doc
-                    - -usr/share/man
-        bitmask-systray:
-                plugin: go
-                source: https://0xacab.org/leap/bitmask-systray.git
-                build-packages:
-                        - pkg-config
-                        - patchelf
-                        - libzmq5
-                        - libzmq3-dev
-                        - libsodium-dev
-                        - libappindicator3-dev
-                        - libgtk-3-dev
-                stage-packages:
-                        - libzmq5
-                        - libsodium18
-                        - libappindicator3-1
-                install: |
-                  TRIPLET_PATH="$SNAPCRAFT_PART_INSTALL/usr/lib/$(gcc -print-multiarch)"
-                  LIBZMQ=$(readlink -n $TRIPLET_PATH/libzmq.so.5)
-                  LIBSOD=$(readlink -n $TRIPLET_PATH/libsodium.so.18)
-                  ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBZMQ" $SNAPCRAFT_PART_INSTALL/bin/libzmq.so.5
-                  ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBSOD" $SNAPCRAFT_PART_INSTALL/bin/libsodium.so.18
-                  patchelf --set-rpath /snap/riseup-vpn/current/bin/ $SNAPCRAFT_PART_INSTALL/bin/bitmask-systray.git
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-        desktop-gtk3:
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-                    - '*'
-
-apps:
-        launcher:
-                command: ./bin/bitmask_anonvpn
-        openvpn:
-                command: ./usr/sbin/openvpn
-        bitmaskd:
-                command: ./bin/bitmaskd
-        bitmask-systray:
-                command: ./bin/bitmask-systray.git
diff --git a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop b/snap/gui/riseup-vpn.desktop
index e325b204..e325b204 100644
--- a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop
+++ b/snap/gui/riseup-vpn.desktop
diff --git a/pkg/riseupvpn/snap/gui/riseupvpn.svg b/snap/gui/riseupvpn.svg
index a19c6c61..a19c6c61 100644
--- a/pkg/riseupvpn/snap/gui/riseupvpn.svg
+++ b/snap/gui/riseupvpn.svg
diff --git a/snap/hooks/install b/snap/hooks/install
new file mode 100755
index 00000000..95207387
--- /dev/null
+++ b/snap/hooks/install
@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+# This helper installs bitmask-root and polkit policy file
+import subprocess
+from base64 import decodestring as decode
+
+POLKIT = b'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBvbGljeWNv\nbmZpZyBQVUJMSUMKICItLy9mcmVlZGVza3RvcC8vRFREIFBvbGljeUtpdCBQb2xpY3kgQ29uZmln\ndXJhdGlvbiAxLjAvL0VOIgogImh0dHA6Ly93d3cuZnJlZWRlc2t0b3Aub3JnL3N0YW5kYXJkcy9Q\nb2xpY3lLaXQvMS9wb2xpY3ljb25maWcuZHRkIj4KPHBvbGljeWNvbmZpZz4KCiAgPHZlbmRvcj5M\nRUFQIFByb2plY3Q8L3ZlbmRvcj4KICA8dmVuZG9yX3VybD5odHRwOi8vbGVhcC5zZS88L3ZlbmRv\ncl91cmw+CgogIDxhY3Rpb24gaWQ9InNlLmxlYXAuYml0bWFzay5yaXNldXB2cG4ucG9saWN5Ij4K\nICAgIDxkZXNjcmlwdGlvbj5SdW5zIGJpdG1hc2sgaGVscGVyIHRvIGxhdW5jaCBmaXJld2FsbCBh\nbmQgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8ZGVzY3JpcHRpb24geG1s\nOmxhbmc9ImVzIj5FamVjdXRhIGVsIGFzaXN0ZW50ZSBkZSBiaXRtYXNrIHBhcmEgbGFuemFyIGVs\nIGZpcmV3YWxsIHkgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8bWVzc2Fn\nZT5SaXNldXBWUE4gbmVlZHMgdGhhdCB5b3UgYXV0aGVudGljYXRlIHRvIHN0YXJ0PC9tZXNzYWdl\nPgogICAgPG1lc3NhZ2UgeG1sOmxhbmc9ImVzIj5SaXNldXBWUE4gbmVjZXNpdGEgYXV0b3JpemFj\naW9uIHBhcmEgY29tZW56YXI8L21lc3NhZ2U+CiAgICA8aWNvbl9uYW1lPnBhY2thZ2UteC1nZW5l\ncmljPC9pY29uX25hbWU+IAogICAgPGRlZmF1bHRzPgogICAgICA8YWxsb3dfYW55PnllczwvYWxs\nb3dfYW55PgogICAgICA8YWxsb3dfaW5hY3RpdmU+eWVzPC9hbGxvd19pbmFjdGl2ZT4KICAgICAg\nPGFsbG93X2FjdGl2ZT55ZXM8L2FsbG93X2FjdGl2ZT4KICAgIDwvZGVmYXVsdHM+CiAgICA8YW5u\nb3RhdGUga2V5PSJvcmcuZnJlZWRlc2t0b3AucG9saWN5a2l0LmV4ZWMucGF0aCI+L3NuYXAvYmlu\nL3Jpc2V1cC12cG4uYml0bWFzay1yb290PC9hbm5vdGF0ZT4KICA8L2FjdGlvbj4KPC9wb2xpY3lj\nb25maWc+Cg==\n'
+
+with open('/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy', 'w') as polkit:
+    lines = decode(POLKIT).split(b"\n")
+    for line in lines:
+        polkit.write(line.decode() + "\n")
diff --git a/snap/hooks/remove b/snap/hooks/remove
new file mode 100755
index 00000000..6aebbe10
--- /dev/null
+++ b/snap/hooks/remove
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+echo "Executing remove hook for RiseupVPN"
+rm "/usr/share/polkit-1/actions/se.leap.bitmask.snap.policy"
+echo "done"
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
new file mode 100644
index 00000000..3702bed0
--- /dev/null
+++ b/snap/snapcraft.yaml
@@ -0,0 +1,108 @@
+name: riseup-vpn
+version: '0.10.5+git'
+epoch: 1
+summary: RiseupVPN, secure VPN. Powered by Bitmask.
+description: |
+        RiseupVPN is an easy, fast, and secure VPN service from riseup.net.
+        RiseupVPN does not require a user account, keep logs, or track you in
+        any way. The service is paid for entirely by donations from users like
+        you.
+
+grade: stable
+confinement: classic
+icon: snap/gui/riseupvpn.svg
+
+parts:
+        desktop-gtk3:
+                prime:
+                    - '*'
+                    - -usr/include
+                    - -usr/lib/locale
+                    - -usr/share/X11/locale
+                    - -usr/share/doc
+                    - -usr/share/locale
+                    - -usr/share/man
+         
+        bitmask:
+                #after: [gnome-3-26, desktop-gtk3]
+                after: [desktop-gtk3]
+                plugin: python
+                python-version: python2
+                source-branch: master
+                source: .
+                requirements: pkg/requirements-vpn.pip
+                stage-packages:
+                    # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684
+                    - python2.7-dev
+                    - libsqlcipher-dev
+                    - libffi-dev
+                    - libsqlite3-dev
+                    - libzmq3-dev
+                prime: 
+                    - -usr/include
+                    - -usr/lib/locale
+                    - -usr/share/X11/locale
+                    - -usr/share/doc
+                    - -usr/share/locale
+                    - -usr/share/man
+
+        openvpn:
+                plugin: nil
+                stage-packages:
+                    - openvpn
+                prime:
+                    - -usr/share/doc
+                    - -usr/share/man
+        bitmask-systray:
+                after: [desktop-gtk3]
+                plugin: go
+                source: https://0xacab.org/leap/bitmask-systray.git
+                # prepare: XXX run systray tests here
+                build-packages:
+                    - pkg-config
+                    - patchelf
+                    - libzmq5
+                    - libzmq3-dev
+                    - libsodium-dev
+                    - libpcre3-dev
+                    - libappindicator3-dev
+                    - libgtk-3-dev
+                stage-packages:
+                    - libzmq5
+                    - libsodium18
+                    - libpcre3
+                    - libappindicator3-1
+                # prime: 
+                     # prime:-etc/fonts
+                     # prime:-usr/include
+                     # prime:-usr/bin
+                     # prime:-usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/
+                     # prime:-usr/lib/x86_64-linux-gnu/glib-2.0/
+                     # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/
+                     # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/printbackends/
+                     # prime:-usr/lib/x86_64-linux-gnu/libgtk-3-0/gtk-query-immodules-3.0
+                     # prime:-usr/lib/x86_64-linux-gnu/libwayland-*
+                     # prime:-usr/sbin/update-icon-caches
+                     # prime:-usr/share/doc
+                     # prime:-usr/share/glib-2.0/schemas
+                     # prime:-usr/share/icons
+                     # prime:-usr/share/lintian
+                     # prime:-usr/share/pkgconfig
+                     # prime:-usr/share/theme
+                     # prime:-usr/share/mime
+                     # prime:-usr/lib/locale
+                     # prime:-usr/share/locale
+
+apps:
+        launcher:
+                command: ./bin/bitmask_anonvpn
+        openvpn:
+                command: ./usr/sbin/openvpn
+        bitmaskd:
+                command: ./bin/bitmaskd
+        bitmask-systray:
+                command: ./bin/bitmask-systray.git
+                environment:
+                        LD_LIBRARY_PATH: "$SNAP/usr/lib/$(gcc -print-multiarch):$SNAP/lib/$(gcc -print-multiarch):$LD_LIBRARY_PATH"
+        bitmask-root:
+                command: ./lib/python2.7/site-packages/leap/bitmask/vpn/helpers/linux/bitmask-root
diff --git a/src/leap/bitmask/vpn/constants.py b/src/leap/bitmask/vpn/constants.py
index dce5e81c..a380bc3c 100644
--- a/src/leap/bitmask/vpn/constants.py
+++ b/src/leap/bitmask/vpn/constants.py
@@ -23,10 +23,15 @@ from leap.bitmask.system import IS_LINUX
 if IS_LINUX:
     BITMASK_ROOT_SYSTEM = '/usr/sbin/bitmask-root'
     BITMASK_ROOT_LOCAL = '/usr/local/sbin/bitmask-root'
+    # this should change when bitmask is also a snap. for now,
+    # snap is only RiseupVPN
+    BITMASK_ROOT_SNAP = '/snap/bin/riseup-vpn.bitmask-root'
+
     OPENVPN_SYSTEM = '/usr/sbin/openvpn'
     OPENVPN_LOCAL = '/usr/local/sbin/leap-openvpn'
     # this should change when bitmask is also a snap. for now,
-    # snap means RiseupVPN
+    # snap is only RiseupVPN
     OPENVPN_SNAP = '/snap/bin/riseup-vpn.openvpn'
     POLKIT_LOCAL = '/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy'
     POLKIT_SYSTEM = '/usr/share/polkit-1/actions/se.leap.bitmask.policy'
+    POLKIT_SNAP = '/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy'
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 98b317b0..cc5d76d0 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -25,7 +25,10 @@ import subprocess
 
 from twisted.logger import Logger
 
-from leap.bitmask.system import IS_MAC, IS_LINUX
+from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
+from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
 from leap.common.events import catalog, emit_async
 
 from leap.bitmask.vpn.launchers import darwin
@@ -87,11 +90,23 @@ class _LinuxFirewallManager(object):
     This allows us to achieve fail close on a vpn connection.
     """
 
-    _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root'
-    if os.path.isfile(_SYSTEM_BITMASK_ROOT):
-        BITMASK_ROOT = _SYSTEM_BITMASK_ROOT
+    # TODO factor out choosing a version of bitmask-root.
+    # together with linux vpnlauncher.
+
+    if IS_SNAP:
+        # snap has its own version under /snap
+        BITMASK_ROOT = BITMASK_ROOT_SNAP
+    elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL):
+        # if this is a bundle, we pick local. bundles ask to install it there.
+        BITMASK_ROOT = BITMASK_ROOT_LOCAL
     else:
-        BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
+        if os.path.isfile(BITMASK_ROOT_SYSTEM):
+            # we can be running from the debian package,
+            # or some other distro. it's the maintainer responsibility to put bitmask-root there.
+            BITMASK_ROOT = BITMASK_ROOT_SYSTEM
+        else:
+            # as a last case, we fall back to installing into the /usr/local/sbin version.
+            BITMASK_ROOT = BITMASK_ROOT_LOCAL
 
     def __init__(self, remotes):
         """
diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py
index e932422d..96ec4f2e 100644
--- a/src/leap/bitmask/vpn/helpers/__init__.py
+++ b/src/leap/bitmask/vpn/helpers/__init__.py
@@ -18,13 +18,15 @@ if IS_LINUX:
 
     from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
     from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+    from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
     from leap.bitmask.vpn.constants import OPENVPN_SYSTEM, OPENVPN_LOCAL
     from leap.bitmask.vpn.constants import OPENVPN_SNAP
-    from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL
+    from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL, POLKIT_SNAP
     from leap.bitmask.vpn.privilege import is_pkexec_in_system
     from leap.bitmask.vpn.privilege import LinuxPolicyChecker
 
     def install():
+        print('installing bitmask helpers...')
         helper_from = _config.get_bitmask_helper_path()
         polkit_from = _config.get_bitmask_polkit_policy_path()
         openvpn_from = _config.get_bitmask_openvpn_path()
@@ -86,7 +88,7 @@ if IS_LINUX:
             return True
 
         if IS_SNAP:
-            if os.path.isfile(BITMASK_ROOT_LOCAL):
+            if os.path.isfile(BITMASK_ROOT_SNAP):
                 return True
             log.error('Cannot find bitmask-root in snap')
             return False
@@ -131,12 +133,17 @@ if IS_LINUX:
         return False
 
     def _check_polkit_file_exist():
-        # XXX: we are just checking if there is any policy file installed not
-        # if it's valid or if it's the correct one that will be used.
-        # (if LOCAL is used if /usr/local/sbin/bitmask-root is used and SYSTEM
-        # if /usr/sbin/bitmask-root)
+        """
+        We are just checking if there is any policy file installed not
+        if it's valid or if it's the correct one that will be used.
+
+        If LOCAL: we use /usr/local/sbin/bitmask-root
+        If SYSTEM: we use /usr/sbin/bitmask-root, and
+        if SNAP:   we use /snap/bin/riseup-vpn.bitmask-root
+        """
         return (os.path.exists(POLKIT_LOCAL) or
-                os.path.exists(POLKIT_SYSTEM))
+                os.path.exists(POLKIT_SYSTEM) or
+                os.path.exists(POLKIT_SNAP))
 
     def _exists_and_can_read(file_path):
         return access(file_path, R_OK)
diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
new file mode 100644
index 00000000..3bdf06a6
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>LEAP Project</vendor>
+  <vendor_url>http://leap.se/</vendor_url>
+
+  <action id="se.leap.bitmask.riseupvpn.policy">
+    <description>Runs bitmask helper to launch firewall and openvpn (RiseupVPN)</description>
+    <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (RiseupVPN)</description>
+    <message>RiseupVPN needs that you authenticate to start</message>
+    <message xml:lang="es">RiseupVPN necesita autorizacion para comenzar</message>
+    <icon_name>package-x-generic</icon_name> 
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/snap/bin/riseup-vpn.bitmask-root</annotate>
+  </action>
+</policyconfig>
diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py
index 748fe858..db8ffce7 100644
--- a/src/leap/bitmask/vpn/launchers/linux.py
+++ b/src/leap/bitmask/vpn/launchers/linux.py
@@ -86,15 +86,16 @@ class LinuxVPNLauncher(VPNLauncher):
 
     class BITMASK_ROOT(object):
         def __call__(self):
-
             current_version = self._version(_config.get_bitmask_helper_path())
             _sys = constants.BITMASK_ROOT_SYSTEM
             _sys_version = 0
             _local = constants.BITMASK_ROOT_LOCAL
             _local_version = 0
+            _snap = constants.BITMASK_ROOT_SNAP
+            _snap_version = 0
 
             if IS_SNAP:
-                return _local
+                return _snap
 
             if os.path.isfile(_sys):
                 _sys_version = self._version(_sys)
@@ -182,13 +183,22 @@ class LinuxVPNLauncher(VPNLauncher):
             openvpn_verb)
 
         if IS_SNAP:
-            return ["pkexec", "/usr/local/sbin/bitmask-root",
+            # cannot reference bitmask_root because 'local variable command
+            # referenced before assignment' XXX bug!
+            # this should change when bitmask is also a snap. for now,
+            # snap means RiseupVPN
+            return ["pkexec", constants.BITMASK_ROOT_SNAP,
                     "openvpn", "start"] + command
 
-        command.insert(0, force_eval(kls.BITMASK_ROOT))
+        bitmask_root = force_eval(kls.BITMASK_ROOT)
+        command.insert(0, bitmask_root)
         command.insert(1, "openvpn")
         command.insert(2, "start")
 
+        # this is a workaround for integration tests, since it's not
+        # trivial to run polkit inside docker containers.
+        # however, you might want to run bitmask as root under certain
+        # environments, like embedded devices.
         if os.getuid() != 0:
             policyChecker = LinuxPolicyChecker()
             pkexec = policyChecker.get_usable_pkexec()
diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py
index 17d8fddc..d1d929d7 100644
--- a/src/leap/bitmask/vpn/process.py
+++ b/src/leap/bitmask/vpn/process.py
@@ -293,7 +293,6 @@ class _VPNProcess(protocol.ProcessProtocol):
 
         :rtype: list of str
         """
-        print("GETTING COMMAND", self._launcher)
         try:
             command = self._launcher.get_vpn_command(
                 vpnconfig=self._vpnconfig,