Package: snapd
Version: 2.37.3-1
Severity: important
Dear Maintainer,
I just started experimenting with snaps and noticed my (pretty vanilla)
installation is silently not confining snaps. E.g.:
$ snap install hello-world
2019-03-01T00:20:19+01:00 INFO Waiting for restart...
hello-world 6.3 from Canonical✓ installed
$ snap run --shell hello-world
$ ls /
bin boot ...
Since the hello-world snap has no interfaces, I'd expect it to deny
access to / (like in snap's tutorial), but this is not the case.
Neither installation nor running the command (or its shell) give off any
indication something might be wrong
I'm an AppArmor newbie, but the generated profile (attached) seems a bit
too permissive. That is generated and loaded by snap itself, right?
Here's some further debug info. I imagine the lack of "strict" is the
problem, but it's not obvious to me why snap cannot enable it.
----------------------
$ snap debug confinement
partial
$ snap debug sandbox-features
apparmor: kernel:caps kernel:domain kernel:file kernel:mount
kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query
kernel:rlimit kernel:signal parser:unsafe policy:downgraded
support-level:partial
confinement-options: classic devmode
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace
per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles
stale-base-invalidation
seccomp: bpf-argument-filtering kernel:allow kernel:errno
kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap
udev: device-cgroup-v1 tagging
------------------------
Setting severity to important because I'd argue this is a security
breach: the expectation of confinement is silently not met, potentialy
leading to information leakage.
Cheers,
Leo
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages snapd depends on:
ii adduser 3.118
ii apparmor 2.13.2-9
ii ca-certificates 20190110
ii gnupg 2.2.12-1
ii libapparmor1 2.13.2-9
ii libc6 2.28-7
ii libcap2 1:2.25-2
ii libseccomp2 2.3.3-4
ii libudev1 241-1
ii openssh-client 1:7.9p1-7
ii squashfs-tools 1:4.3-11
ii systemd 241-1
ii udev 241-1
Versions of packages snapd recommends:
ii gnupg 2.2.12-1
Versions of packages snapd suggests:
ii zenity 3.30.0-2
-- no debconf information
#include <tunables/global>
# This is a snap name without the instance key
@{SNAP_NAME}="hello-world"
# This is a snap name with instance key
@{SNAP_INSTANCE_NAME}="hello-world"
@{SNAP_REVISION}="27"
@{PROFILE_DBUS}="snap_2ehello_2dworld_2ehello_2dworld"
@{INSTALL_DIR}="/{,var/lib/snapd/}snap"
profile "snap.hello-world.hello-world" (attach_disconnected,mediate_deleted) {
# set file rules so that exec() inherits our profile unless there is
# already a profile for it (eg, snap-confine)
/ rwkl,
/** rwlkm,
/** pix,
capability,
change_profile unsafe /**,
dbus,
network,
mount,
remount,
umount,
pivot_root,
ptrace,
signal,
unix,
}
