Control: severity -1 important Hi,
On Tue, Dec 24, 2019 at 06:33:58PM +0100, Mattia Monga wrote: > Package: snapd > Version: 2.42.1-1 > Severity: grave > Tags: security > Justification: user security hole You didn't really explain how this is a security hole. You just asked for the default setting to be different. Downgrading. Cheers, Ivo > If one installs the example snap hello-world and launches hello-world.evil in > apparmored system the application is NOT strictly confined by default. > > ~$ snap run hello-world.evil > Hello Evil World! > This example demonstrates the app confinement > You should see a permission denied error next > If you see this line the confinement is not working correctly, please file a > bug > > > My snap debug info > > ~$ snap debug confinement > partial > > ~$ snap debug sandbox-features > apparmor: kernel:caps kernel:domain kernel:file kernel:mount > kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query > kernel:rlimit kernel:signal parser:unsafe policy:downgraded > support-level:partial > confinement-options: classic devmode > dbus: mediated-bus-access > kmod: mediated-modprobe > mount: freezer-cgroup-v1 layouts mount-namespace > per-snap-persistency per-snap-profiles per-snap-updates > per-snap-user-profiles stale-base-invalidation > seccomp: bpf-actlog bpf-argument-filtering kernel:allow > kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace > kernel:trap kernel:user_notif > udev: device-cgroup-v1 tagging > > I believe the default setting should be "strict" or, at least, the package > should have clear documentation on how to enable the strict mode (which, > according to upstream, is the default...) >
