Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Snaps are not confined in Buster

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
soaringowl2145
Posts: 33
Joined: 2017-01-26 14:24

Snaps are not confined in Buster

#1 Post by soaringowl2145 »

So when I tried using snaps in Buster it told me they were not confined. I noticed this bug report:

https://bugs.debian.org/cgi-bin/bugrepo ... bug=928052

Specifically:

https://cve.mitre.org/cgi-bin/cvename.c ... 2019-11502

"snap-confine in snapd before 2.38 incorrectly set the ownership of a snap application to the uid and gid of the first calling user. Consequently, that user had unintended access to a private /tmp directory."

Is that bug/vulnerability the reason that snaps are not sandboxed?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Snaps are not confined in Buster

#2 Post by Head_on_a_Stick »

Install AppArmor to confine snaps.

https://wiki.debian.org/AppArmor/HowToUse

From my buster system:

Code: Select all

shinken:~$ sudo aa-status
apparmor module is loaded.
25 profiles are loaded.
20 profiles are in enforce mode.
[...]
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
deadbang

soaringowl2145
Posts: 33
Joined: 2017-01-26 14:24

Re: Snaps are not confined in Buster

#3 Post by soaringowl2145 »

I have done that.

Code: Select all

z@debian:~$ sudo aa-status
[sudo] password for z: 
apparmor module is loaded.
60 profiles are loaded.
42 profiles are in enforce mode.
   /snap/core/6818/usr/lib/snapd/snap-confine
   /snap/core/6818/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/apt-cacher-ng
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   snap-update-ns.chromium
   snap-update-ns.core
   snap-update-ns.hello-world
   snap-update-ns.snap-store
   snap-update-ns.spotify
   snap.chromium.chromedriver
   snap.chromium.chromium
   snap.core.hook.configure
   snap.hello-world.env
   snap.hello-world.evil
   snap.hello-world.hello-world
   snap.hello-world.sh
   snap.snap-store.snap-store
   snap.spotify.spotify
18 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   klogd
   libreoffice-oopslash
   libreoffice-soffice
   mdnsd
   nmbd
   nscd
   ping
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
11 processes have profiles defined.
9 processes are in enforce mode.
   /usr/sbin/cups-browsed (700) 
   /usr/sbin/cupsd (637) 
   /usr/lib/cups/notifier/dbus (696) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (699) /usr/sbin/cupsd
   /usr/lib/cups/notifier/dbus (704) /usr/sbin/cupsd
   /snap/spotify/35/usr/share/spotify/spotify (1788) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1930) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1944) snap.spotify.spotify
   /snap/spotify/35/usr/share/spotify/spotify (1961) snap.spotify.spotify
2 processes are in complain mode.
   /usr/sbin/avahi-daemon (641) avahi-daemon
   /usr/sbin/avahi-daemon (697) avahi-daemon
0 processes are unconfined but have a profile defined.
But then:

Code: Select all

z@debian:~$ hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug
The Snap Store also says unconfined and I disabled the ability to play sound from Chromium using the Snap Store, but the sound still played.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Snaps are not confined in Buster

#4 Post by Head_on_a_Stick »

deadbang

Post Reply