I was wondering if running snapd/snaps is less secure in opensuse, compared to an ubuntu distribution/flavor? I understand that opensuse does not yet “officially” make snapd available, because they had some security concerns (a long time ago apparently).
Yes, snaps are less secure on openSUSE than they are on Ubuntu. Snap uses Apparmor features that are not upstreamed yet, but present in Ubuntu.
openSUSE also seems to be moving towards adopting SELinux as the default for new installations, and without AppArmor, the snap sandbox is basically nonexistent.
I am using apparmor, so I should have no issue, then.
Any idea how does canonical see this? I mean, snap is supposed to be a “universal” packaging & sandboxing tool. If it’s sandbox features won’t really “work” in a number of other main linux distros out there, then is trully universal? Don’t get me wrong, I am not challenging the idea to use apparmor and not, say, SELinux for sanboxing, I am just curious…
Any hope from the stacking-LSM front that we would (in our lifetime ) finally be able to stack apparmor and SELinux?
If you want to see the current state of support on your system you can use:
snap debug confinement
(which will tell you if the confinement is strict or partial)
and:
snap debug sandbox-features
which will list all sandboxing features in use on your system, here is output of this on a fully working Ubuntu system in case you need something to compare to:
I am actually very disappointment to see only partial confinement in my apparmor-Tumbleweed!
Is that the case due to the missing apparmor features @that_leaflet mentioned?
The missing features are in fact two rather small patches, one provides IPC mediation and the other one is network related … looking at your list of apparmor features kernel:ipc and kernel:network are missing in yours, so I guess that’s a “yes” …