Snaps are not confined in Buster

News and discussion about development of the Debian OS itself

Snaps are not confined in Buster

Postby soaringowl2145 » 2019-05-04 02:58

So when I tried using snaps in Buster it told me they were not confined. I noticed this bug report:

https://bugs.debian.org/cgi-bin/bugrepo ... bug=928052

Specifically:

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-11502

"snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."

Is that bug/vulnerability the reason that snaps are not sandboxed?
soaringowl2145
 
Posts: 21
Joined: 2017-01-26 14:24

Re: Snaps are not confined in Buster

Postby Head_on_a_Stick » 2019-05-04 08:54

Install AppArmor to confine snaps.

https://wiki.debian.org/AppArmor/HowToUse

From my buster system:
Code: Select all
shinken:~$ sudo aa-status
apparmor module is loaded.
25 profiles are loaded.
20 profiles are in enforce mode.
[...]
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10613
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Snaps are not confined in Buster

Postby soaringowl2145 » 2019-05-04 14:12

I have done that.

Code: Select all
z@debian:~$ sudo aa-status
[sudo] password for z:
apparmor module is loaded.
60 profiles are loaded.
42 profiles are in enforce mode.
   /snap/core/6818/usr/lib/snapd/snap-confine
   /snap/core/6818/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/apt-cacher-ng
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.chromium
   snap-update-ns.core
   snap-update-ns.hello-world
   snap-update-ns.snap-store
   snap-update-ns.spotify
   snap.chromium.chromedriver
   snap.chromium.chromium
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   snap.snap-store.snap-store
   snap.spotify.spotify
18 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   klogd
   libreoffice-oopslash
   libreoffice-soffice
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
11 processes have profiles defined.
9 processes are in enforce mode.
   /usr/sbin/cups-browsed (700)
   /usr/sbin/cupsd (637)
   /usr/lib/cups/notifier/dbus (696) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (699) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (704) /usr/sbin/cupsd
   /snap/spotify/35/usr/share/spotify/spotify (1788) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1930) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1944) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1961) snap.spotify.spotify
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (641) avahi-daemon
   /usr/sbin/avahi-daemon (697) avahi-daemon
0 processes are unconfined but have a profile defined.


But then:

Code: Select all
z@debian:~$ hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug


The Snap Store also says unconfined and I disabled the ability to play sound from Chromium using the Snap Store, but the sound still played.
soaringowl2145
 
Posts: 21
Joined: 2017-01-26 14:24

Re: Snaps are not confined in Buster

Postby Head_on_a_Stick » 2019-05-04 14:28

Don't break DebianHow to report bugs

SharpBang GNU/Linux — a pre-configured Openbox/Tint2 desktop running on Debian stable
User avatar
Head_on_a_Stick
 
Posts: 10613
Joined: 2014-06-01 17:46
Location: /dev/chair


Return to Debian Development

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable