I followed the steps outlined in the meta-snappy github repo to create a Yocto Rocko qemu image with snapd.
I installed the ‘hello-world’ snap fine, but got these results when attempting to run hello-world.evil:
root@qemux86:~# hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug
I filed an issue on github, but it was suggested that I also post here. Is anyone familiar enough with this issue to prescribe a fix?
Hey
Confinement heavily depends on the kernel. Can you please share:
snap version
In addition you will need to use either a very recent kernel (where most of the confinement tools are available) or back port some patches to your kernel.
root@qemux86:~# snap version
snap 2.32.2
snapd 2.32.2
series 16
poky 2.4.3
kernel 4.12.24-yocto-standard
How recent does the kernel need to be, and are there particular CONFIG options I should make sure are set?
What reminds me I should probably update that recipe to 2.33.
@kcghost You may also want to review meta-security layer. They have an out of the box AppArmor setup. Simply adding apparmor to DISTRO_FEATURES may be enough to get you started (as long as you use linux-yocto kernel).
1 Like
