The controversy around snaps is growing :-(

Oliver Grawert ogra at ubuntu.com
Tue May 5 00:28:05 UTC 2020 

hi,
Am Montag, den 04.05.2020, 19:07 +0200 schrieb Ralf Mardorf via ubuntu-
users:
> Today:
> 
> "[snip] Snaps can be confined using AppArmor which is now enabled in
> the
> default kernel. [snip] Note: If AppArmor isn't enabled in your system
> then all snaps will run in devel mode which mean they will have same,
> unrestricted access to your system as apps installed from Arch Linux
> repositories. [snip]" - https://wiki.archlinux.org/index.php/Snap
> 

which is not actually true ... the confinement is nowadays a very fine-
grained security system consisting of quite a few features. if there is
one feature missing that doesnt mean all confinement is gone ...

$ snap debug sandbox-features
apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file
kernel:mount kernel:namespaces kernel:network kernel:network_v8
kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal
parser:unsafe policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace per-
snap-persistency per-snap-profiles per-snap-updates per-snap-user-
profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow
kernel:errno kernel:kill_process kernel:kill_thread kernel:log
kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 device-filtering tagging

snapd degrades the confinement gracefully if i.e. apparmor does not
exist on the host (like on fedora) you still get namespaces, cgroups,
seccomp, several kernel security features, dbus mediation etc etc ... 

it wont be as secure as it can but there is still more confinement than
apps installed plain from a repository ...

ciao
	oli
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20200505/455cc5ef/attachment.sig>

More information about the ubuntu-users mailing list