The controversy around snaps is growing :-(

[Tom H]

On Tue, May 5, 2020 at 2:30 AM Oliver Grawert <ogra at ubuntu.com> wrote:
> Am Montag, den 04.05.2020, 19:07 +0200 schrieb Ralf Mardorf via ubuntu-
> users:
>>
>> "[snip] Snaps can be confined using AppArmor which is now enabled in
>> the default kernel. [snip] Note: If AppArmor isn't enabled in your
>> system then all snaps will run in devel mode which mean they will have
>> same, unrestricted access to your system as apps installed from Arch
>> Linux repositories. [snip]"
>> - https://wiki.archlinux.org/index.php/Snap
>
> which is not actually true ... the confinement is nowadays a very fine-
> grained security system consisting of quite a few features. if there is
> one feature missing that doesnt mean all confinement is gone ...
>
> $ snap debug sandbox-features
> apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file
> kernel:mount kernel:namespaces kernel:network kernel:network_v8
> kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal
> parser:unsafe policy:default support-level:full
> confinement-options:  classic devmode strict
> dbus:                 mediated-bus-access
> kmod:                 mediated-modprobe
> mount:                freezer-cgroup-v1 layouts mount-namespace per-
> snap-persistency per-snap-profiles per-snap-updates per-snap-user-
> profiles stale-base-invalidation
> seccomp:              bpf-actlog bpf-argument-filtering kernel:allow
> kernel:errno kernel:kill_process kernel:kill_thread kernel:log
> kernel:trace kernel:trap kernel:user_notif
> udev:                 device-cgroup-v1 device-filtering tagging
>
> snapd degrades the confinement gracefully if i.e. apparmor does not
> exist on the host (like on fedora) you still get namespaces, cgroups,
> seccomp, several kernel security features, dbus mediation etc etc ...
>
> it wont be as secure as it can but there is still more confinement than
> apps installed plain from a repository ...

Thanks for the info (and the command!).