Debian User Forums


https://forums.debian.net/

Snaps are not confined in Buster

https://forums.debian.net/viewtopic.php?t=141893

Page 1 of 1

Snaps are not confined in Buster

Posted: 2019-05-04 02:58
by soaringowl2145
So when I tried using snaps in Buster it told me they were not confined. I noticed this bug report:

https://bugs.debian.org/cgi-bin/bugrepo ... bug=928052

Specifically:

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-11502

"snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."

Is that bug/vulnerability the reason that snaps are not sandboxed?

Re: Snaps are not confined in Buster

Posted: 2019-05-04 08:54
by Head_on_a_Stick
Install AppArmor to confine snaps.

https://wiki.debian.org/AppArmor/HowToUse

From my buster system:

Code: Select all

shinken:~$ sudo aa-status
apparmor module is loaded.
25 profiles are loaded.
20 profiles are in enforce mode.
[...]
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

Re: Snaps are not confined in Buster

Posted: 2019-05-04 14:12
by soaringowl2145
I have done that.

Code: Select all

z@debian:~$ sudo aa-status
[sudo] password for z: 
apparmor module is loaded.
60 profiles are loaded.
42 profiles are in enforce mode.
   /snap/core/6818/usr/lib/snapd/snap-confine
   /snap/core/6818/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/apt-cacher-ng
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.chromium
   snap-update-ns.core
   snap-update-ns.hello-world
   snap-update-ns.snap-store
   snap-update-ns.spotify
   snap.chromium.chromedriver
   snap.chromium.chromium
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   snap.snap-store.snap-store
   snap.spotify.spotify
18 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   klogd
   libreoffice-oopslash
   libreoffice-soffice
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
11 processes have profiles defined.
9 processes are in enforce mode.
   /usr/sbin/cups-browsed (700) 
   /usr/sbin/cupsd (637) 
   /usr/lib/cups/notifier/dbus (696) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (699) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (704) /usr/sbin/cupsd
   /snap/spotify/35/usr/share/spotify/spotify (1788) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1930) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1944) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1961) snap.spotify.spotify
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (641) avahi-daemon
   /usr/sbin/avahi-daemon (697) avahi-daemon
0 processes are unconfined but have a profile defined.
But then:

Code: Select all

z@debian:~$ hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug
The Snap Store also says unconfined and I disabled the ability to play sound from Chromium using the Snap Store, but the sound still played.

Re: Snaps are not confined in Buster

Posted: 2019-05-04 14:28
by Head_on_a_Stick
https://bugs.debian.org/cgi-bin/bugrepo ... bug=923500
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited