From 3169015c5f5eaed5f2ad48e486b1fe96e1eb6bbe Mon Sep 17 00:00:00 2001
From: Kali Kaneko <kali@leap.se>
Date: Tue, 3 Apr 2018 02:45:34 +0200
Subject: several fixes for riseupvpn snap

- move snap folder to root folder, to allow automated builds
- install only polkit file outside of snap
- change path of bitmask-root accordingly in bitmask
- fix check for polkit file inside snap
- change and document the algorithm for picking bitmask-root in linux
- add LD_LIBRARY_PATH as an environment entry for bitmask-systray
---
 .gitignore                                         |   8 ++
 Makefile                                           |   7 ++
 docs/changelog.rst                                 |   9 ++
 pkg/riseupvpn/Makefile                             |   8 +-
 pkg/riseupvpn/README.rst                           |  20 ++--
 pkg/riseupvpn/pack_installers                      |  34 +++----
 pkg/riseupvpn/snap/.snapcraft/state                |   3 -
 pkg/riseupvpn/snap/gui/riseup-vpn.desktop          |  15 ---
 pkg/riseupvpn/snap/gui/riseupvpn.svg               |  80 ---------------
 pkg/riseupvpn/snap/hooks/remove                    |   7 --
 pkg/riseupvpn/snap/snapcraft.yaml                  |  94 ------------------
 snap/gui/riseup-vpn.desktop                        |  15 +++
 snap/gui/riseupvpn.svg                             |  80 +++++++++++++++
 snap/hooks/install                                 |  11 +++
 snap/hooks/remove                                  |   6 ++
 snap/snapcraft.yaml                                | 108 +++++++++++++++++++++
 src/leap/bitmask/vpn/constants.py                  |   7 +-
 src/leap/bitmask/vpn/fw/firewall.py                |  25 ++++-
 src/leap/bitmask/vpn/helpers/__init__.py           |  21 ++--
 .../helpers/linux/se.leap.bitmask.riseupvpn.policy |  23 +++++
 src/leap/bitmask/vpn/launchers/linux.py            |  18 +++-
 src/leap/bitmask/vpn/process.py                    |   1 -
 22 files changed, 349 insertions(+), 251 deletions(-)
 delete mode 100644 pkg/riseupvpn/snap/.snapcraft/state
 delete mode 100644 pkg/riseupvpn/snap/gui/riseup-vpn.desktop
 delete mode 100644 pkg/riseupvpn/snap/gui/riseupvpn.svg
 delete mode 100755 pkg/riseupvpn/snap/hooks/remove
 delete mode 100644 pkg/riseupvpn/snap/snapcraft.yaml
 create mode 100644 snap/gui/riseup-vpn.desktop
 create mode 100644 snap/gui/riseupvpn.svg
 create mode 100755 snap/hooks/install
 create mode 100755 snap/hooks/remove
 create mode 100644 snap/snapcraft.yaml
 create mode 100644 src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy

diff --git a/.gitignore b/.gitignore
index fc1463e4..9fa8da01 100644
--- a/.gitignore
+++ b/.gitignore
@@ -56,3 +56,11 @@ NOTES
 
 # temporary home folders for functional tests
 /tmp/
+
+# snaps
+parts
+prime
+stage
+*.snap
+*.tar.bz2
+snap/.snapcraft
diff --git a/Makefile b/Makefile
index f6895358..153d6130 100644
--- a/Makefile
+++ b/Makefile
@@ -119,6 +119,13 @@ bundle_in_docker_virtualenv:
 	cp -r bitmaskbuild/$(DIST_VERSION) dist/
 	rm -rf bitmaskbuild
 
+snap_in_docker:
+	cd pkg/riseupvpn && ./pack_installers && cd ..
+	sudo docker run -v $(PWD):$(PWD) -w $(PWD) snapcore/snapcraft snapcraft
+
+snap_clean:
+	sudo rm -rf stage prime parts
+
 upload:
 	python setup.py sdist bdist_wheel --universal upload --sign -i kali@leap.se -r pypi
 
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 04778592..de4c7f94 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -5,6 +5,15 @@ Changelog
 -------------------------------
 .. note:: This version is not yet released and is under active development.
 
+Misc
+~~~~
+- Fix snap bug in install hook when python2 was not installed.
+- Install only the polkit file outside of classic confinement snap.
+- Document algorithm for picking bitmask-root.
+- Use LD_LIBRARY_PATH for bitmask_systray in RiseupVPN snap (makes snap run fine in bionic).
+- Move snap folder to topmost folder.
+
+
 0.10.5
 -------------------------------
 
diff --git a/pkg/riseupvpn/Makefile b/pkg/riseupvpn/Makefile
index 58079cc6..6c0e5855 100644
--- a/pkg/riseupvpn/Makefile
+++ b/pkg/riseupvpn/Makefile
@@ -3,13 +3,13 @@
 # We have to use classic confinement because it does not seem to be another way, at the moment,
 # to use policykit.
 
-build: helpers
-	# for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html
-	sudo snapcraft cleanbuild
 helpers:
 	./pack_installers
+build: helpers
+	# for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html
+	cd ../.. && sudo snapcraft cleanbuild
 install:
-	sudo snap install riseup-vpn_*.snap --dangerous --classic
+	cd ../.. && sudo snap install riseup-vpn_*.snap --dangerous --classic
 uninstall:
 	sudo snap remove riseup-vpn
 deps:
diff --git a/pkg/riseupvpn/README.rst b/pkg/riseupvpn/README.rst
index 085ffe39..29ced8f9 100644
--- a/pkg/riseupvpn/README.rst
+++ b/pkg/riseupvpn/README.rst
@@ -12,21 +12,25 @@ minimalistic systray written in golang https://0xacab.org/leap/bitmask-systray
 that makes use of libappindicator for displaying notifications.
 
 Currently, RiseupVPN is distributed as a snap package. It uses classic
-confinement because it needs to install bitmask-root in the system, and a
-polkit policy file so that bitmask-root and openvpn can be executed without
-asking user for permission each time.
+confinement because it needs to install a polkit policy file so that
+bitmask-root and openvpn can be executed without asking user for permission
+each time.
 
 Usage
 -----
 
-Until the snap package gets approved in the snap store, you can use the snap as follows::
+You can get the snap from the store::
 
- wget https://downloads.leap.se/RiseupVPN/linux/riseup-vpn_0.10.4_amd64.snap
  sudo apt install snapd
- sudo snap install riseup-vpn_0.10.4_amd64.snap --dangerous --classic
+ sudo snap install riseup-vpn --classic
 
-That should have made a new application called RiseupVPN in your launchers.
-You can also launch it manually like this::
+If you want to build the local snap::
+
+ make build
+ sudo snap install riseup-vpn_*.snap --classic
+
+That should have added a new application called RiseupVPN in your desktop
+launchers. You can also launch it manually like this::
 
  /snap/bin/riseup-vpn.launcher
 
diff --git a/pkg/riseupvpn/pack_installers b/pkg/riseupvpn/pack_installers
index eb3a08bb..629e4157 100755
--- a/pkg/riseupvpn/pack_installers
+++ b/pkg/riseupvpn/pack_installers
@@ -1,37 +1,27 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 import os
 import subprocess
 from base64 import encodestring as encode
 HELPDIR = '../../src/leap/bitmask/vpn/helpers/linux/'
-INSTALL = './snap/hooks/install'
+INSTALL = '../../snap/hooks/install'
+POLKIT_FILE = 'se.leap.bitmask.riseupvpn.policy'
 
-with open(os.path.join(HELPDIR, 'bitmask-root')) as bmroot:
-    b64_bmroot = encode(bmroot.read())
-
-with open(os.path.join(HELPDIR, 'se.leap.bitmask.bundle.policy')) as polkit:
-    b64_polkit = encode(polkit.read())
+with open(os.path.join(HELPDIR, POLKIT_FILE)) as polkit:
+    b64_polkit = encode(polkit.read().encode())
 
 with open(INSTALL, 'w') as install:
-    install.write('#!/usr/bin/env python\n')
+    install.write('#!/usr/bin/env python3\n')
     install.write('# This helper installs bitmask-root and polkit policy file\n')
     install.write('import subprocess\n')
     install.write('from base64 import decodestring as decode\n')
     install.write("""
-BMROOT = \"\"\"{bmroot}\"\"\"
-POLKIT = \"\"\"{polkit}\"\"\"
-BMROOT_DEST = "/usr/local/sbin/bitmask-root"
-with open(BMROOT_DEST, "w") as bmroot:
-    lines = str(decode(BMROOT)).split("\\n")
-    for i, line in enumerate(lines):
-        bmroot.write(line)
-        if i + 1 != len(lines):
-            bmroot.write("\\n")
-with open('/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy', 'w') as polkit:
-    lines = str(decode(POLKIT)).split("\\n")
+POLKIT = {polkit}
+
+with open('/usr/share/polkit-1/actions/{polkit_file}', 'w') as polkit:
+    lines = decode(POLKIT).split(b"\\n")
     for line in lines:
-        polkit.write(line + "\\n")
-""".format(bmroot=b64_bmroot, polkit=b64_polkit))
-    install.write('subprocess.Popen(["chmod", "+x", BMROOT_DEST])\n')
+        polkit.write(line.decode() + "\\n")
+""".format(polkit=b64_polkit, polkit_file=POLKIT_FILE))
 
 subprocess.Popen(["chmod", "+x", INSTALL])
 print("done packing installers into the snap install hook...")
diff --git a/pkg/riseupvpn/snap/.snapcraft/state b/pkg/riseupvpn/snap/.snapcraft/state
deleted file mode 100644
index 34977889..00000000
--- a/pkg/riseupvpn/snap/.snapcraft/state
+++ /dev/null
@@ -1,3 +0,0 @@
-!GlobalState
-assets:
-  build-packages: []
diff --git a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop b/pkg/riseupvpn/snap/gui/riseup-vpn.desktop
deleted file mode 100644
index e325b204..00000000
--- a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop
+++ /dev/null
@@ -1,15 +0,0 @@
-[Desktop Entry]
-Version=1.0
-Type=Application
-Name=RiseupVPN
-Comment=Anonymous VPN
-Comment[es]=VPN Anonima
-Comment[de]=Anonymous VPN
-Path=/snap/bin
-Exec=riseup-vpn.launcher
-Terminal=false
-Icon=/snap/riseup-vpn/current/snap/gui/riseupvpn.svg
-Categories=Network;Application;
-StartupNotify=true
-Keywords=VPN;riseup;leap
-
diff --git a/pkg/riseupvpn/snap/gui/riseupvpn.svg b/pkg/riseupvpn/snap/gui/riseupvpn.svg
deleted file mode 100644
index a19c6c61..00000000
--- a/pkg/riseupvpn/snap/gui/riseupvpn.svg
+++ /dev/null
@@ -1,80 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="128"
-   height="128"
-   viewBox="0 0 33.866666 33.866668"
-   version="1.1"
-   id="svg896"
-   inkscape:version="0.92.2 (5c3e80d, 2017-08-06)"
-   sodipodi:docname="riseupvpn-launcher.svg">
-  <defs
-     id="defs890" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#d7d7d7"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="5.12"
-     inkscape:cx="26.899914"
-     inkscape:cy="56.22909"
-     inkscape:document-units="px"
-     inkscape:current-layer="layer1"
-     showgrid="true"
-     units="px"
-     inkscape:window-width="1869"
-     inkscape:window-height="1025"
-     inkscape:window-x="51"
-     inkscape:window-y="27"
-     inkscape:window-maximized="1">
-    <inkscape:grid
-       type="xygrid"
-       id="grid1471"
-       empspacing="4" />
-  </sodipodi:namedview>
-  <metadata
-     id="metadata893">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(0,-263.13332)">
-    <path
-       style="fill:#006cb2;fill-opacity:1;stroke-width:0.26458335"
-       d="M 15.617988,295.66418 C 9.9401302,292.50672 5.6959906,287.52131 4.7342129,282.87951 4.4622971,281.56718 4.4516145,281.24899 4.4519256,274.47112 l 2.394e-4,-6.47461 0.5616386,-0.36177 c 2.3734615,-1.52883 4.8841786,-2.55103 7.4419094,-3.06699 5.221864,-1.05337 10.639669,0.003 15.485448,3.16684 l 0.398232,0.25998 v 6.50684 c 0,6.8044 -0.01093,7.13134 -0.280843,8.43104 -0.956329,4.6043 -4.632206,9.09553 -10.057782,12.28874 -1.576255,0.9277 -1.527525,0.91863 -2.382844,0.44299 z"
-       id="path5137"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="csccssscssscc" />
-    <path
-       inkscape:connector-curvature="0"
-       style="fill:#007cc3;fill-opacity:1;stroke-width:0.26458335"
-       d="m 16.396917,264.17336 c -1.317958,-4.7e-4 -2.635612,0.13103 -3.941076,0.39437 -2.5577318,0.51596 -5.068528,1.53812 -7.4419895,3.06696 l -0.5615828,0.36177 -4.707e-4,6.47466 c -2.394e-4,6.77787 0.010371,7.096 0.2822554,8.40832 0.9617776,4.64181 5.2059168,9.62724 10.8837756,12.7847 h 1.19e-4 c 0.368953,0.20517 0.569745,0.32326 0.805249,0.31706 v -31.80747 c -0.0088,-2e-5 -0.01755,-4.8e-4 -0.02641,-4.8e-4 z"
-       id="path887" />
-    <path
-       style="fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458338"
-       d="m 16.989143,272.54844 c 0,0 -0.315707,-0.61165 -0.336761,-0.69601 -0.02106,-0.0844 -0.189431,-0.94909 -0.189431,-0.94909 l 0.210485,-0.37963 0.463046,-0.696 0.673531,-0.52727 0.168377,-0.0633 1.620684,-0.61164 0.147331,-0.14764 -0.168385,-0.25308 -0.231523,-0.12655 -0.424879,-0.10907 -1.064407,-0.10907 -0.825967,0.007 -0.568293,0.12654 -0.505146,-0.18981 -0.63143,-0.0844 -0.9261,-0.0211 -0.463054,-0.0211 -0.778761,0.29527 -1.178677,1.37091 -0.147339,0.52727 -0.08418,0.464 -0.399908,0.86473 -0.252577,0.82254 -0.126285,0.88582 v 0.18982 l -0.610384,0.92799 -0.336761,0.69601 v 0.99126 l 0.10523,2.04581 0.189431,0.73821 0.378861,0.6749 0.4841,0.44292 0.210477,0.8647 0.799815,1.77155 0.947154,1.13886 0.06311,0.0633 0.336761,1.70835 -1.157623,2.10911 -0.363408,0.28169 -0.272426,0.22054 -0.467179,-0.0129 -0.260603,0.13452 -0.316122,0.0134 -0.190994,0.19047 -0.408963,-0.0616 -0.4044091,-0.0196 -0.311982,0.24606 -0.044916,0.36556 0.207365,-0.23472 0.3488649,-0.10158 0.03654,0.33552 0.5512672,-0.18726 0.316122,-0.0134 0.557721,0.0667 c 0,0 0.483518,-0.0316 0.567216,-0.0407 0.0837,-0.009 0.597276,0.0411 0.597276,0.0411 l 0.376644,-0.041 0.199723,0.0844 0.267456,-0.0716 0.290265,0.13818 0.418488,-0.0455 0.05401,-0.28169 -0.01596,-0.14678 0.28571,0.0962 0.232049,0.18692 0.150642,0.21701 -0.0088,-0.27495 -0.182953,-0.31946 c 0,0 -0.125159,-0.17737 -0.208857,-0.16824 -0.0837,0.009 -0.408971,-0.0616 -0.408971,-0.0616 l -0.223321,0.088 -0.243857,-0.10085 -0.239677,0.13226 -0.220665,-0.0822 -0.106491,-0.20049 -0.153322,-0.0471 0.164763,-0.42962 0.378861,-0.52859 0.505146,-0.84364 0.442,-0.5273 0.168385,-0.21088 c 0,0 0.210477,-0.31633 0.210477,-0.40071 0,-0.0844 0.04212,-0.97016 0.04212,-0.97016 l -0.273623,-0.56947 -0.126285,-0.46402 2.441546,0.59059 h 0.147331 l 2.083731,1.49744 0.294669,0.37959 0.10523,1.49729 -0.04212,0.33746 -0.147338,0.27419 -0.105358,0.16875 -0.09101,0.23675 -0.06215,0.1583 -0.386712,0.11988 -0.393086,-0.0709 -0.238209,-0.0294 -0.437428,0.0633 -0.184118,0.19713 -0.07084,0.24475 0.05712,0.24744 0.09172,-0.24769 0.124641,-0.16724 0.121984,-0.0388 0.0094,0.21174 0.163957,0.10406 0.338995,-0.15563 0.166646,-0.0242 0.05409,0.22658 0.508999,-0.01 0.345035,-0.11394 0.282886,0.0443 0.410893,0.047 0.142823,-0.0417 0.112881,-0.10156 0.182442,0.37841 0.0024,-0.42654 -0.176722,-0.48581 -0.256358,-0.15463 0.04324,-0.12712 -0.189423,-0.35849 0.02106,-1.37079 1.052392,1.2444 1.389154,1.09674 c 0,0 0.947146,0.33749 1.03133,0.33749 0.08419,0 0.736677,-0.0844 0.736677,-0.0844 l 0.420954,-0.69598 -0.315715,-0.94908 0.126284,-0.31642 -0.673531,-0.88574 -1.426794,-1.45279 -0.341213,-1.14141 0.02106,-0.78037 -0.315707,-0.82257 -0.357816,-0.65376 0.210477,-0.65377 -0.168377,-0.94904 -0.717785,-1.61568 0.265151,-0.0448 -0.444984,-0.77034 0.289101,-0.0918 -0.508218,-0.82847 0.213764,-0.11524 -0.380944,-0.62543 0.124202,-0.0696 -0.460971,-0.37337 0.168384,-0.0875 -1.199723,-0.84051 z"
-       id="path5892"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="csccccccccccccccccccccccccccccccccccccccccccccccccccccccscccccccccccccsccccccccccccscccccccccccccccccccccccccccccccccccccccccccscccccccccccccccccccccccc" />
-  </g>
-</svg>
diff --git a/pkg/riseupvpn/snap/hooks/remove b/pkg/riseupvpn/snap/hooks/remove
deleted file mode 100755
index c7442a26..00000000
--- a/pkg/riseupvpn/snap/hooks/remove
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-set -e
-
-echo "Executing remove hook for RiseupVPN"
-rm "/usr/local/sbin/bitmask-root"
-rm "/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy"
-echo "done"
diff --git a/pkg/riseupvpn/snap/snapcraft.yaml b/pkg/riseupvpn/snap/snapcraft.yaml
deleted file mode 100644
index 064a48ae..00000000
--- a/pkg/riseupvpn/snap/snapcraft.yaml
+++ /dev/null
@@ -1,94 +0,0 @@
-name: riseup-vpn
-version: '0.10.4'
-epoch: 0
-summary: RiseupVPN, anonymous VPN. Powered by Bitmask.
-description: |
-        RiseupVPN is an easy, fast, and secure VPN service from riseup.net.
-        RiseupVPN does not require a user account, keep logs, or track you in
-        any way. The service is paid for entirely by donations from users like
-        you.
-
-grade: stable # must be 'stable' to release into candidate/stable channels. switch to devel in snap branch.
-confinement: classic
-icon: snap/gui/riseupvpn.svg
-
-parts:
-         
-        bitmask:
-                plugin: python
-                python-version: python2
-                source-branch: master
-                source: https://0xacab.org/leap/bitmask-dev.git
-                requirements: pkg/requirements-vpn.pip
-                stage-packages:
-                        # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684
-                        - python2.7-dev
-                        - libsqlcipher-dev
-                        - libffi-dev
-                        - libsqlite3-dev
-                        - libzmq3-dev
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-        openvpn:
-                plugin: nil
-                stage-packages:
-                        - openvpn
-                prime:
-                    - -usr/share/doc
-                    - -usr/share/man
-        bitmask-systray:
-                plugin: go
-                source: https://0xacab.org/leap/bitmask-systray.git
-                build-packages:
-                        - pkg-config
-                        - patchelf
-                        - libzmq5
-                        - libzmq3-dev
-                        - libsodium-dev
-                        - libappindicator3-dev
-                        - libgtk-3-dev
-                stage-packages:
-                        - libzmq5
-                        - libsodium18
-                        - libappindicator3-1
-                install: |
-                  TRIPLET_PATH="$SNAPCRAFT_PART_INSTALL/usr/lib/$(gcc -print-multiarch)"
-                  LIBZMQ=$(readlink -n $TRIPLET_PATH/libzmq.so.5)
-                  LIBSOD=$(readlink -n $TRIPLET_PATH/libsodium.so.18)
-                  ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBZMQ" $SNAPCRAFT_PART_INSTALL/bin/libzmq.so.5
-                  ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBSOD" $SNAPCRAFT_PART_INSTALL/bin/libsodium.so.18
-                  patchelf --set-rpath /snap/riseup-vpn/current/bin/ $SNAPCRAFT_PART_INSTALL/bin/bitmask-systray.git
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-        desktop-gtk3:
-                prime: 
-                    - -usr/include
-                    - -usr/lib/locale
-                    - -usr/share/X11/locale
-                    - -usr/share/doc
-                    - -usr/share/locale
-                    - -usr/share/man
-                    #- -usr/share/icons
-                    - '*'
-
-apps:
-        launcher:
-                command: ./bin/bitmask_anonvpn
-        openvpn:
-                command: ./usr/sbin/openvpn
-        bitmaskd:
-                command: ./bin/bitmaskd
-        bitmask-systray:
-                command: ./bin/bitmask-systray.git
diff --git a/snap/gui/riseup-vpn.desktop b/snap/gui/riseup-vpn.desktop
new file mode 100644
index 00000000..e325b204
--- /dev/null
+++ b/snap/gui/riseup-vpn.desktop
@@ -0,0 +1,15 @@
+[Desktop Entry]
+Version=1.0
+Type=Application
+Name=RiseupVPN
+Comment=Anonymous VPN
+Comment[es]=VPN Anonima
+Comment[de]=Anonymous VPN
+Path=/snap/bin
+Exec=riseup-vpn.launcher
+Terminal=false
+Icon=/snap/riseup-vpn/current/snap/gui/riseupvpn.svg
+Categories=Network;Application;
+StartupNotify=true
+Keywords=VPN;riseup;leap
+
diff --git a/snap/gui/riseupvpn.svg b/snap/gui/riseupvpn.svg
new file mode 100644
index 00000000..a19c6c61
--- /dev/null
+++ b/snap/gui/riseupvpn.svg
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="128"
+   height="128"
+   viewBox="0 0 33.866666 33.866668"
+   version="1.1"
+   id="svg896"
+   inkscape:version="0.92.2 (5c3e80d, 2017-08-06)"
+   sodipodi:docname="riseupvpn-launcher.svg">
+  <defs
+     id="defs890" />
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#d7d7d7"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="5.12"
+     inkscape:cx="26.899914"
+     inkscape:cy="56.22909"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="true"
+     units="px"
+     inkscape:window-width="1869"
+     inkscape:window-height="1025"
+     inkscape:window-x="51"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1">
+    <inkscape:grid
+       type="xygrid"
+       id="grid1471"
+       empspacing="4" />
+  </sodipodi:namedview>
+  <metadata
+     id="metadata893">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(0,-263.13332)">
+    <path
+       style="fill:#006cb2;fill-opacity:1;stroke-width:0.26458335"
+       d="M 15.617988,295.66418 C 9.9401302,292.50672 5.6959906,287.52131 4.7342129,282.87951 4.4622971,281.56718 4.4516145,281.24899 4.4519256,274.47112 l 2.394e-4,-6.47461 0.5616386,-0.36177 c 2.3734615,-1.52883 4.8841786,-2.55103 7.4419094,-3.06699 5.221864,-1.05337 10.639669,0.003 15.485448,3.16684 l 0.398232,0.25998 v 6.50684 c 0,6.8044 -0.01093,7.13134 -0.280843,8.43104 -0.956329,4.6043 -4.632206,9.09553 -10.057782,12.28874 -1.576255,0.9277 -1.527525,0.91863 -2.382844,0.44299 z"
+       id="path5137"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="csccssscssscc" />
+    <path
+       inkscape:connector-curvature="0"
+       style="fill:#007cc3;fill-opacity:1;stroke-width:0.26458335"
+       d="m 16.396917,264.17336 c -1.317958,-4.7e-4 -2.635612,0.13103 -3.941076,0.39437 -2.5577318,0.51596 -5.068528,1.53812 -7.4419895,3.06696 l -0.5615828,0.36177 -4.707e-4,6.47466 c -2.394e-4,6.77787 0.010371,7.096 0.2822554,8.40832 0.9617776,4.64181 5.2059168,9.62724 10.8837756,12.7847 h 1.19e-4 c 0.368953,0.20517 0.569745,0.32326 0.805249,0.31706 v -31.80747 c -0.0088,-2e-5 -0.01755,-4.8e-4 -0.02641,-4.8e-4 z"
+       id="path887" />
+    <path
+       style="fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.26458338"
+       d="m 16.989143,272.54844 c 0,0 -0.315707,-0.61165 -0.336761,-0.69601 -0.02106,-0.0844 -0.189431,-0.94909 -0.189431,-0.94909 l 0.210485,-0.37963 0.463046,-0.696 0.673531,-0.52727 0.168377,-0.0633 1.620684,-0.61164 0.147331,-0.14764 -0.168385,-0.25308 -0.231523,-0.12655 -0.424879,-0.10907 -1.064407,-0.10907 -0.825967,0.007 -0.568293,0.12654 -0.505146,-0.18981 -0.63143,-0.0844 -0.9261,-0.0211 -0.463054,-0.0211 -0.778761,0.29527 -1.178677,1.37091 -0.147339,0.52727 -0.08418,0.464 -0.399908,0.86473 -0.252577,0.82254 -0.126285,0.88582 v 0.18982 l -0.610384,0.92799 -0.336761,0.69601 v 0.99126 l 0.10523,2.04581 0.189431,0.73821 0.378861,0.6749 0.4841,0.44292 0.210477,0.8647 0.799815,1.77155 0.947154,1.13886 0.06311,0.0633 0.336761,1.70835 -1.157623,2.10911 -0.363408,0.28169 -0.272426,0.22054 -0.467179,-0.0129 -0.260603,0.13452 -0.316122,0.0134 -0.190994,0.19047 -0.408963,-0.0616 -0.4044091,-0.0196 -0.311982,0.24606 -0.044916,0.36556 0.207365,-0.23472 0.3488649,-0.10158 0.03654,0.33552 0.5512672,-0.18726 0.316122,-0.0134 0.557721,0.0667 c 0,0 0.483518,-0.0316 0.567216,-0.0407 0.0837,-0.009 0.597276,0.0411 0.597276,0.0411 l 0.376644,-0.041 0.199723,0.0844 0.267456,-0.0716 0.290265,0.13818 0.418488,-0.0455 0.05401,-0.28169 -0.01596,-0.14678 0.28571,0.0962 0.232049,0.18692 0.150642,0.21701 -0.0088,-0.27495 -0.182953,-0.31946 c 0,0 -0.125159,-0.17737 -0.208857,-0.16824 -0.0837,0.009 -0.408971,-0.0616 -0.408971,-0.0616 l -0.223321,0.088 -0.243857,-0.10085 -0.239677,0.13226 -0.220665,-0.0822 -0.106491,-0.20049 -0.153322,-0.0471 0.164763,-0.42962 0.378861,-0.52859 0.505146,-0.84364 0.442,-0.5273 0.168385,-0.21088 c 0,0 0.210477,-0.31633 0.210477,-0.40071 0,-0.0844 0.04212,-0.97016 0.04212,-0.97016 l -0.273623,-0.56947 -0.126285,-0.46402 2.441546,0.59059 h 0.147331 l 2.083731,1.49744 0.294669,0.37959 0.10523,1.49729 -0.04212,0.33746 -0.147338,0.27419 -0.105358,0.16875 -0.09101,0.23675 -0.06215,0.1583 -0.386712,0.11988 -0.393086,-0.0709 -0.238209,-0.0294 -0.437428,0.0633 -0.184118,0.19713 -0.07084,0.24475 0.05712,0.24744 0.09172,-0.24769 0.124641,-0.16724 0.121984,-0.0388 0.0094,0.21174 0.163957,0.10406 0.338995,-0.15563 0.166646,-0.0242 0.05409,0.22658 0.508999,-0.01 0.345035,-0.11394 0.282886,0.0443 0.410893,0.047 0.142823,-0.0417 0.112881,-0.10156 0.182442,0.37841 0.0024,-0.42654 -0.176722,-0.48581 -0.256358,-0.15463 0.04324,-0.12712 -0.189423,-0.35849 0.02106,-1.37079 1.052392,1.2444 1.389154,1.09674 c 0,0 0.947146,0.33749 1.03133,0.33749 0.08419,0 0.736677,-0.0844 0.736677,-0.0844 l 0.420954,-0.69598 -0.315715,-0.94908 0.126284,-0.31642 -0.673531,-0.88574 -1.426794,-1.45279 -0.341213,-1.14141 0.02106,-0.78037 -0.315707,-0.82257 -0.357816,-0.65376 0.210477,-0.65377 -0.168377,-0.94904 -0.717785,-1.61568 0.265151,-0.0448 -0.444984,-0.77034 0.289101,-0.0918 -0.508218,-0.82847 0.213764,-0.11524 -0.380944,-0.62543 0.124202,-0.0696 -0.460971,-0.37337 0.168384,-0.0875 -1.199723,-0.84051 z"
+       id="path5892"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="csccccccccccccccccccccccccccccccccccccccccccccccccccccccscccccccccccccsccccccccccccscccccccccccccccccccccccccccccccccccccccccccscccccccccccccccccccccccc" />
+  </g>
+</svg>
diff --git a/snap/hooks/install b/snap/hooks/install
new file mode 100755
index 00000000..95207387
--- /dev/null
+++ b/snap/hooks/install
@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+# This helper installs bitmask-root and polkit policy file
+import subprocess
+from base64 import decodestring as decode
+
+POLKIT = b'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBvbGljeWNv\nbmZpZyBQVUJMSUMKICItLy9mcmVlZGVza3RvcC8vRFREIFBvbGljeUtpdCBQb2xpY3kgQ29uZmln\ndXJhdGlvbiAxLjAvL0VOIgogImh0dHA6Ly93d3cuZnJlZWRlc2t0b3Aub3JnL3N0YW5kYXJkcy9Q\nb2xpY3lLaXQvMS9wb2xpY3ljb25maWcuZHRkIj4KPHBvbGljeWNvbmZpZz4KCiAgPHZlbmRvcj5M\nRUFQIFByb2plY3Q8L3ZlbmRvcj4KICA8dmVuZG9yX3VybD5odHRwOi8vbGVhcC5zZS88L3ZlbmRv\ncl91cmw+CgogIDxhY3Rpb24gaWQ9InNlLmxlYXAuYml0bWFzay5yaXNldXB2cG4ucG9saWN5Ij4K\nICAgIDxkZXNjcmlwdGlvbj5SdW5zIGJpdG1hc2sgaGVscGVyIHRvIGxhdW5jaCBmaXJld2FsbCBh\nbmQgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8ZGVzY3JpcHRpb24geG1s\nOmxhbmc9ImVzIj5FamVjdXRhIGVsIGFzaXN0ZW50ZSBkZSBiaXRtYXNrIHBhcmEgbGFuemFyIGVs\nIGZpcmV3YWxsIHkgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8bWVzc2Fn\nZT5SaXNldXBWUE4gbmVlZHMgdGhhdCB5b3UgYXV0aGVudGljYXRlIHRvIHN0YXJ0PC9tZXNzYWdl\nPgogICAgPG1lc3NhZ2UgeG1sOmxhbmc9ImVzIj5SaXNldXBWUE4gbmVjZXNpdGEgYXV0b3JpemFj\naW9uIHBhcmEgY29tZW56YXI8L21lc3NhZ2U+CiAgICA8aWNvbl9uYW1lPnBhY2thZ2UteC1nZW5l\ncmljPC9pY29uX25hbWU+IAogICAgPGRlZmF1bHRzPgogICAgICA8YWxsb3dfYW55PnllczwvYWxs\nb3dfYW55PgogICAgICA8YWxsb3dfaW5hY3RpdmU+eWVzPC9hbGxvd19pbmFjdGl2ZT4KICAgICAg\nPGFsbG93X2FjdGl2ZT55ZXM8L2FsbG93X2FjdGl2ZT4KICAgIDwvZGVmYXVsdHM+CiAgICA8YW5u\nb3RhdGUga2V5PSJvcmcuZnJlZWRlc2t0b3AucG9saWN5a2l0LmV4ZWMucGF0aCI+L3NuYXAvYmlu\nL3Jpc2V1cC12cG4uYml0bWFzay1yb290PC9hbm5vdGF0ZT4KICA8L2FjdGlvbj4KPC9wb2xpY3lj\nb25maWc+Cg==\n'
+
+with open('/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy', 'w') as polkit:
+    lines = decode(POLKIT).split(b"\n")
+    for line in lines:
+        polkit.write(line.decode() + "\n")
diff --git a/snap/hooks/remove b/snap/hooks/remove
new file mode 100755
index 00000000..6aebbe10
--- /dev/null
+++ b/snap/hooks/remove
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+echo "Executing remove hook for RiseupVPN"
+rm "/usr/share/polkit-1/actions/se.leap.bitmask.snap.policy"
+echo "done"
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
new file mode 100644
index 00000000..3702bed0
--- /dev/null
+++ b/snap/snapcraft.yaml
@@ -0,0 +1,108 @@
+name: riseup-vpn
+version: '0.10.5+git'
+epoch: 1
+summary: RiseupVPN, secure VPN. Powered by Bitmask.
+description: |
+        RiseupVPN is an easy, fast, and secure VPN service from riseup.net.
+        RiseupVPN does not require a user account, keep logs, or track you in
+        any way. The service is paid for entirely by donations from users like
+        you.
+
+grade: stable
+confinement: classic
+icon: snap/gui/riseupvpn.svg
+
+parts:
+        desktop-gtk3:
+                prime:
+                    - '*'
+                    - -usr/include
+                    - -usr/lib/locale
+                    - -usr/share/X11/locale
+                    - -usr/share/doc
+                    - -usr/share/locale
+                    - -usr/share/man
+         
+        bitmask:
+                #after: [gnome-3-26, desktop-gtk3]
+                after: [desktop-gtk3]
+                plugin: python
+                python-version: python2
+                source-branch: master
+                source: .
+                requirements: pkg/requirements-vpn.pip
+                stage-packages:
+                    # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684
+                    - python2.7-dev
+                    - libsqlcipher-dev
+                    - libffi-dev
+                    - libsqlite3-dev
+                    - libzmq3-dev
+                prime: 
+                    - -usr/include
+                    - -usr/lib/locale
+                    - -usr/share/X11/locale
+                    - -usr/share/doc
+                    - -usr/share/locale
+                    - -usr/share/man
+
+        openvpn:
+                plugin: nil
+                stage-packages:
+                    - openvpn
+                prime:
+                    - -usr/share/doc
+                    - -usr/share/man
+        bitmask-systray:
+                after: [desktop-gtk3]
+                plugin: go
+                source: https://0xacab.org/leap/bitmask-systray.git
+                # prepare: XXX run systray tests here
+                build-packages:
+                    - pkg-config
+                    - patchelf
+                    - libzmq5
+                    - libzmq3-dev
+                    - libsodium-dev
+                    - libpcre3-dev
+                    - libappindicator3-dev
+                    - libgtk-3-dev
+                stage-packages:
+                    - libzmq5
+                    - libsodium18
+                    - libpcre3
+                    - libappindicator3-1
+                # prime: 
+                     # prime:-etc/fonts
+                     # prime:-usr/include
+                     # prime:-usr/bin
+                     # prime:-usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/
+                     # prime:-usr/lib/x86_64-linux-gnu/glib-2.0/
+                     # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/
+                     # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/printbackends/
+                     # prime:-usr/lib/x86_64-linux-gnu/libgtk-3-0/gtk-query-immodules-3.0
+                     # prime:-usr/lib/x86_64-linux-gnu/libwayland-*
+                     # prime:-usr/sbin/update-icon-caches
+                     # prime:-usr/share/doc
+                     # prime:-usr/share/glib-2.0/schemas
+                     # prime:-usr/share/icons
+                     # prime:-usr/share/lintian
+                     # prime:-usr/share/pkgconfig
+                     # prime:-usr/share/theme
+                     # prime:-usr/share/mime
+                     # prime:-usr/lib/locale
+                     # prime:-usr/share/locale
+
+apps:
+        launcher:
+                command: ./bin/bitmask_anonvpn
+        openvpn:
+                command: ./usr/sbin/openvpn
+        bitmaskd:
+                command: ./bin/bitmaskd
+        bitmask-systray:
+                command: ./bin/bitmask-systray.git
+                environment:
+                        LD_LIBRARY_PATH: "$SNAP/usr/lib/$(gcc -print-multiarch):$SNAP/lib/$(gcc -print-multiarch):$LD_LIBRARY_PATH"
+        bitmask-root:
+                command: ./lib/python2.7/site-packages/leap/bitmask/vpn/helpers/linux/bitmask-root
diff --git a/src/leap/bitmask/vpn/constants.py b/src/leap/bitmask/vpn/constants.py
index dce5e81c..a380bc3c 100644
--- a/src/leap/bitmask/vpn/constants.py
+++ b/src/leap/bitmask/vpn/constants.py
@@ -23,10 +23,15 @@ from leap.bitmask.system import IS_LINUX
 if IS_LINUX:
     BITMASK_ROOT_SYSTEM = '/usr/sbin/bitmask-root'
     BITMASK_ROOT_LOCAL = '/usr/local/sbin/bitmask-root'
+    # this should change when bitmask is also a snap. for now,
+    # snap is only RiseupVPN
+    BITMASK_ROOT_SNAP = '/snap/bin/riseup-vpn.bitmask-root'
+
     OPENVPN_SYSTEM = '/usr/sbin/openvpn'
     OPENVPN_LOCAL = '/usr/local/sbin/leap-openvpn'
     # this should change when bitmask is also a snap. for now,
-    # snap means RiseupVPN
+    # snap is only RiseupVPN
     OPENVPN_SNAP = '/snap/bin/riseup-vpn.openvpn'
     POLKIT_LOCAL = '/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy'
     POLKIT_SYSTEM = '/usr/share/polkit-1/actions/se.leap.bitmask.policy'
+    POLKIT_SNAP = '/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy'
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 98b317b0..cc5d76d0 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -25,7 +25,10 @@ import subprocess
 
 from twisted.logger import Logger
 
-from leap.bitmask.system import IS_MAC, IS_LINUX
+from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
+from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
 from leap.common.events import catalog, emit_async
 
 from leap.bitmask.vpn.launchers import darwin
@@ -87,11 +90,23 @@ class _LinuxFirewallManager(object):
     This allows us to achieve fail close on a vpn connection.
     """
 
-    _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root'
-    if os.path.isfile(_SYSTEM_BITMASK_ROOT):
-        BITMASK_ROOT = _SYSTEM_BITMASK_ROOT
+    # TODO factor out choosing a version of bitmask-root.
+    # together with linux vpnlauncher.
+
+    if IS_SNAP:
+        # snap has its own version under /snap
+        BITMASK_ROOT = BITMASK_ROOT_SNAP
+    elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL):
+        # if this is a bundle, we pick local. bundles ask to install it there.
+        BITMASK_ROOT = BITMASK_ROOT_LOCAL
     else:
-        BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
+        if os.path.isfile(BITMASK_ROOT_SYSTEM):
+            # we can be running from the debian package,
+            # or some other distro. it's the maintainer responsibility to put bitmask-root there.
+            BITMASK_ROOT = BITMASK_ROOT_SYSTEM
+        else:
+            # as a last case, we fall back to installing into the /usr/local/sbin version.
+            BITMASK_ROOT = BITMASK_ROOT_LOCAL
 
     def __init__(self, remotes):
         """
diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py
index e932422d..96ec4f2e 100644
--- a/src/leap/bitmask/vpn/helpers/__init__.py
+++ b/src/leap/bitmask/vpn/helpers/__init__.py
@@ -18,13 +18,15 @@ if IS_LINUX:
 
     from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
     from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+    from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
     from leap.bitmask.vpn.constants import OPENVPN_SYSTEM, OPENVPN_LOCAL
     from leap.bitmask.vpn.constants import OPENVPN_SNAP
-    from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL
+    from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL, POLKIT_SNAP
     from leap.bitmask.vpn.privilege import is_pkexec_in_system
     from leap.bitmask.vpn.privilege import LinuxPolicyChecker
 
     def install():
+        print('installing bitmask helpers...')
         helper_from = _config.get_bitmask_helper_path()
         polkit_from = _config.get_bitmask_polkit_policy_path()
         openvpn_from = _config.get_bitmask_openvpn_path()
@@ -86,7 +88,7 @@ if IS_LINUX:
             return True
 
         if IS_SNAP:
-            if os.path.isfile(BITMASK_ROOT_LOCAL):
+            if os.path.isfile(BITMASK_ROOT_SNAP):
                 return True
             log.error('Cannot find bitmask-root in snap')
             return False
@@ -131,12 +133,17 @@ if IS_LINUX:
         return False
 
     def _check_polkit_file_exist():
-        # XXX: we are just checking if there is any policy file installed not
-        # if it's valid or if it's the correct one that will be used.
-        # (if LOCAL is used if /usr/local/sbin/bitmask-root is used and SYSTEM
-        # if /usr/sbin/bitmask-root)
+        """
+        We are just checking if there is any policy file installed not
+        if it's valid or if it's the correct one that will be used.
+
+        If LOCAL: we use /usr/local/sbin/bitmask-root
+        If SYSTEM: we use /usr/sbin/bitmask-root, and
+        if SNAP:   we use /snap/bin/riseup-vpn.bitmask-root
+        """
         return (os.path.exists(POLKIT_LOCAL) or
-                os.path.exists(POLKIT_SYSTEM))
+                os.path.exists(POLKIT_SYSTEM) or
+                os.path.exists(POLKIT_SNAP))
 
     def _exists_and_can_read(file_path):
         return access(file_path, R_OK)
diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
new file mode 100644
index 00000000..3bdf06a6
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>LEAP Project</vendor>
+  <vendor_url>http://leap.se/</vendor_url>
+
+  <action id="se.leap.bitmask.riseupvpn.policy">
+    <description>Runs bitmask helper to launch firewall and openvpn (RiseupVPN)</description>
+    <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (RiseupVPN)</description>
+    <message>RiseupVPN needs that you authenticate to start</message>
+    <message xml:lang="es">RiseupVPN necesita autorizacion para comenzar</message>
+    <icon_name>package-x-generic</icon_name> 
+    <defaults>
+      <allow_any>yes</allow_any>
+      <allow_inactive>yes</allow_inactive>
+      <allow_active>yes</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/snap/bin/riseup-vpn.bitmask-root</annotate>
+  </action>
+</policyconfig>
diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py
index 748fe858..db8ffce7 100644
--- a/src/leap/bitmask/vpn/launchers/linux.py
+++ b/src/leap/bitmask/vpn/launchers/linux.py
@@ -86,15 +86,16 @@ class LinuxVPNLauncher(VPNLauncher):
 
     class BITMASK_ROOT(object):
         def __call__(self):
-
             current_version = self._version(_config.get_bitmask_helper_path())
             _sys = constants.BITMASK_ROOT_SYSTEM
             _sys_version = 0
             _local = constants.BITMASK_ROOT_LOCAL
             _local_version = 0
+            _snap = constants.BITMASK_ROOT_SNAP
+            _snap_version = 0
 
             if IS_SNAP:
-                return _local
+                return _snap
 
             if os.path.isfile(_sys):
                 _sys_version = self._version(_sys)
@@ -182,13 +183,22 @@ class LinuxVPNLauncher(VPNLauncher):
             openvpn_verb)
 
         if IS_SNAP:
-            return ["pkexec", "/usr/local/sbin/bitmask-root",
+            # cannot reference bitmask_root because 'local variable command
+            # referenced before assignment' XXX bug!
+            # this should change when bitmask is also a snap. for now,
+            # snap means RiseupVPN
+            return ["pkexec", constants.BITMASK_ROOT_SNAP,
                     "openvpn", "start"] + command
 
-        command.insert(0, force_eval(kls.BITMASK_ROOT))
+        bitmask_root = force_eval(kls.BITMASK_ROOT)
+        command.insert(0, bitmask_root)
         command.insert(1, "openvpn")
         command.insert(2, "start")
 
+        # this is a workaround for integration tests, since it's not
+        # trivial to run polkit inside docker containers.
+        # however, you might want to run bitmask as root under certain
+        # environments, like embedded devices.
         if os.getuid() != 0:
             policyChecker = LinuxPolicyChecker()
             pkexec = policyChecker.get_usable_pkexec()
diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py
index 17d8fddc..d1d929d7 100644
--- a/src/leap/bitmask/vpn/process.py
+++ b/src/leap/bitmask/vpn/process.py
@@ -293,7 +293,6 @@ class _VPNProcess(protocol.ProcessProtocol):
 
         :rtype: list of str
         """
-        print("GETTING COMMAND", self._launcher)
         try:
             command = self._launcher.get_vpn_command(
                 vpnconfig=self._vpnconfig,
-- 
cgit v1.2.3