Bug#947325: snapd: strict confinement is not enabled

Tue, 24 Dec 2019 09:39:24 -0800 

Package: snapd
Version: 2.42.1-1
Severity: grave
Tags: security
Justification: user security hole

If one installs the example snap hello-world and launches hello-world.evil in 
apparmored system the application is NOT strictly confined by default.

~$ snap run hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug


My snap debug info

~$ snap debug confinement
partial

~$ snap debug sandbox-features
apparmor:             kernel:caps kernel:domain kernel:file kernel:mount 
kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query 
kernel:rlimit kernel:signal parser:unsafe policy:downgraded 
support-level:partial
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                freezer-cgroup-v1 layouts mount-namespace 
per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles 
stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow 
kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace 
kernel:trap kernel:user_notif
udev:                 device-cgroup-v1 tagging

I believe the default setting should be "strict" or, at least, the package 
should have clear documentation on how to enable the strict mode (which, 
according to upstream, is the default...) 




-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 5.3.15 (SMP w/8 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages snapd depends on:
ii  adduser          3.118
ii  apparmor         2.13.3-7
ii  ca-certificates  20190110
ii  gnupg            2.2.17-3
ii  libapparmor1     2.13.3-7
ii  libc6            2.29-6
ii  libcap2          1:2.27-1
ii  libseccomp2      2.4.2-2
ii  libudev1         244-3
ii  openssh-client   1:8.1p1-2
ii  squashfs-tools   1:4.4-1
ii  systemd          244-3
ii  udev             244-3

Versions of packages snapd recommends:
ii  gnupg  2.2.17-3

Versions of packages snapd suggests:
ii  zenity  3.32.0-4

-- no debconf information

Reply via email to