App confinement failure using meta-snappy Yocto layer

I followed the steps outlined in the meta-snappy github repo to create a Yocto Rocko qemu image with snapd.

I installed the ‘hello-world’ snap fine, but got these results when attempting to run hello-world.evil:

root@qemux86:~# hello-world.evil
Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug

I filed an issue on github, but it was suggested that I also post here. Is anyone familiar enough with this issue to prescribe a fix?


Confinement heavily depends on the kernel. Can you please share:

snap version

In addition you will need to use either a very recent kernel (where most of the confinement tools are available) or back port some patches to your kernel.

root@qemux86:~# snap version
snap    2.32.2
snapd   2.32.2
series  16
poky    2.4.3
kernel  4.12.24-yocto-standard

How recent does the kernel need to be, and are there particular CONFIG options I should make sure are set?

see here:

What reminds me I should probably update that recipe to 2.33.

@kcghost You may also want to review meta-security layer. They have an out of the box AppArmor setup. Simply adding apparmor to DISTRO_FEATURES may be enough to get you started (as long as you use linux-yocto kernel).

1 Like