Is it less secure to run snaps in openSUSE?

Hi all,

I was wondering if running snapd/snaps is less secure in opensuse, compared to an ubuntu distribution/flavor? I understand that opensuse does not yet “officially” make snapd available, because they had some security concerns (a long time ago apparently).

Should I be concerned, as a tumbleweed user?

Yes, snaps are less secure on openSUSE than they are on Ubuntu. Snap uses Apparmor features that are not upstreamed yet, but present in Ubuntu.

openSUSE also seems to be moving towards adopting SELinux as the default for new installations, and without AppArmor, the snap sandbox is basically nonexistent.

I am using apparmor, so I should have no issue, then.

Any idea how does canonical see this? I mean, snap is supposed to be a “universal” packaging & sandboxing tool. If it’s sandbox features won’t really “work” in a number of other main linux distros out there, then is trully universal? Don’t get me wrong, I am not challenging the idea to use apparmor and not, say, SELinux for sanboxing, I am just curious…

Any hope from the stacking-LSM front that we would (in our lifetime :wink: ) finally be able to stack apparmor and SELinux?

If you want to see the current state of support on your system you can use:

snap debug confinement

(which will tell you if the confinement is strict or partial) and:

snap debug sandbox-features

which will list all sandboxing features in use on your system, here is output of this on a fully working Ubuntu system in case you need something to compare to:

apparmor:             kernel:caps kernel:dbus kernel:domain kernel:domain:attach_conditions kernel:file kernel:io_uring kernel:ipc kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:policy:permstable32:allow kernel:policy:permstable32:audit kernel:policy:permstable32:complain kernel:policy:permstable32:cond kernel:policy:permstable32:deny kernel:policy:permstable32:hide kernel:policy:permstable32:kill kernel:policy:permstable32:label kernel:policy:permstable32:prompt kernel:policy:permstable32:quiet kernel:policy:permstable32:subtree kernel:policy:permstable32:tag kernel:policy:permstable32:xindex kernel:policy:unconfined_restrictions kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:allow-all parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:io-uring parser:mqueue parser:prompt parser:qipcrtr-socket parser:snapd-internal parser:unconfined parser:unsafe parser:userns parser:xdp policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v2 device-filtering tagging
1 Like

Very valuable tip, thanks a lot @ogra !

I am actually very disappointment to see only partial confinement in my apparmor-Tumbleweed! Is that the case due to the missing apparmor features @that_leaflet mentioned?

user@host~$ snap debug confinement
partial
user@host:~$ snap debug sandbox-features
apparmor:             kernel:caps kernel:domain kernel:domain:attach_conditions kernel:file kernel:io_uring kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:policy:permstable32:allow kernel:policy:permstable32:audit kernel:policy:permstable32:complain kernel:policy:permstable32:cond kernel:policy:permstable32:deny kernel:policy:permstable32:hide kernel:policy:permstable32:kill kernel:policy:permstable32:label kernel:policy:permstable32:prompt kernel:policy:permstable32:quiet kernel:policy:permstable32:subtree kernel:policy:permstable32:tag kernel:policy:permstable32:xindex kernel:policy:unconfined_restrictions kernel:policy:versions kernel:ptrace kernel:query kernel:query:label kernel:rlimit kernel:signal parser:allow-all parser:cap-audit-read parser:cap-bpf parser:include-if-exists parser:io-uring parser:mqueue parser:qipcrtr-socket parser:unconfined parser:unsafe parser:userns parser:xdp policy:default support-level:partial
confinement-options:  classic devmode
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 device-cgroup-v2 device-filtering tagging

The missing features are in fact two rather small patches, one provides IPC mediation and the other one is network related … looking at your list of apparmor features kernel:ipc and kernel:network are missing in yours, so I guess that’s a “yes” …

Would there be a way for me to apply these patches manually in Tubmleweed ?

Well you’d have to build your own kernel… But sure, you could indeed add the missing patches then…

1 Like

in tumbleweed, the kernel is updated like every other week (rolling distro), wouldn’t that require me to every-time manually re-build the kernel ? :thinking:

@ogra do you have any insights on the ongoing uptreaming efforts for those two features?