Can you please give some hints how to drop down not needed permissions of snap app.
Details: there’s an app parsing and displaying output of ‘ping’ tool (note: std ‘ping’ tool is included in all snap cores). Permissions that need to be granted in case of use it in snap infrastructure comparing to use out of snap scopes:
- out of snap ecosystem, with deb or apk package for example: There’s no need to grant anything extra because ‘ping’ itself has enough them to ping, it’s granted via fine-grained linux capabilities, like
% ls -lh /bin/ping; getcap /bin/ping -rwxr-xr-x 1 root root 88K Nov 27 2022 /bin/ping /bin/ping cap_net_raw=ep
2) in case of snap package: There's snappy-debug suggestions
Log: apparmor="DENIED" operation="exec" class="file" profile="snap.fmtr.fmtr" name="/usr/bin/ping" pid=315899 comm="io.flutter.ui" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 File: /usr/bin/ping (exec) Suggestions: * adjust snap to ship 'ping' * adjust program to use relative paths if the snap already ships 'ping' * add one of 'firewall-control, network-control, network-observe' to 'plugs'
despite that core’s pings already have all needed permissions:
% ls -lh /snap/core*/*/bin/ping; getcap /snap/core*/*/bin/ping -rwsr-xr-x 1 root root 44K May 7 2014 /snap/core/16202/bin/ping -rwxr-xr-x 1 root root 72K Jan 31 2020 /snap/core20/2015/bin/ping -rwxr-xr-x 1 root root 75K Feb 5 2022 /snap/core22/864/bin/ping /snap/core20/2015/bin/ping cap_net_raw=ep /snap/core22/864/bin/ping cap_net_raw=ep
I.e. in this aspect snap version is more insecure than app installed from apk or deb?
Is there a way to grant extra permissions to snap core’s ping only?