Issue with System Freezing While Using Software Installed from Snap

snapd
1

Dear Snapcraft Developers,

I’ve been experiencing a recurring problem with my Ubuntu system that seems to be related to using software installed from the Snap repository.

Whenever I use certain applications installed through Snap, they initially function well, but after some time, my computer display flashes and the system freezes. During these freezes, I can sometimes move the mouse cursor, but cannot interact with any software or system functions. As a result, I’m forced to manually reset my system using the reset button. Also keep in mind, it might were hacking attacks because I know people who want to observe, control and manipulate me. I used to live in an old apartment building. And I heard that the neighbor which lived above me, spoke loudly, and I heard that he could find out all my passwords, all visited websites, where I’ve been, my location (my Android-smartphone was also hacked). And many other things happened. I’m already fighting against this since 2011.

Interestingly, this issue does not occur when I use software installed from the original Ubuntu repositories and sandbox them using Firejail. However, this workaround is not ideal since there are several Snap-exclusive applications that I find useful and would like to continue using.

Now, I’m safe. I’m using Firefox, Thunderbird, whatsapp-for-linux, teams-for-linux and many others in firejail, VPN (OpenVPN solution, and plugin in browser from the VPN-provider, so the communication in browser is encrypted twice), password have changed, F2A everywhere, if it’s possible.

Now I want just to improve the security issue in snapd.

To assist you in troubleshooting, here are some additional details:

Ubuntu version: 23.04, Kernel: 6.4.1 (compiled myself, source from kernel.org), Snap version: 2.59.5, List of problematic software: firefox, thunderbird, whatsapp-for-linux, teams-for-linux, chatgpt-desktop, System specifications: Laptop DELL G3 3779, CPU - 12 × Intel® Core™ i7-8750H CPU @ 2.20GHz, RAM 16 GB, Grafikcard - NVIDIA Geforce GTX 1050 Ti, Grafikcarddriver 535.54.03 (downloaded and installed from www.nvidia.com/de-de/drivers/unix because it works with the latest kernel better), Steps to reproduce: I’ll be using the problematic software in a VM of Virtualbox.

I kindly request your assistance in resolving this issue. I hope that improving this could benefit not only myself but also other users who might be facing similar problems.

Thank you for your attention to this matter.

Best regards, Eugen Mjasiscev

2

This is most likely your problem… why did you do this ?

The ubuntu kernels are carrying a few 100 additional patches over the mainline one… most if them add or improve security features to harden the system…

there are also many configuration settings that the userspace applications expect from a kernel in ubuntu, so you need to make sure that your home built kernel fully supports these in the .config you use, else you will for sure see misbehavior of applications down to the desktop itself …

…and indeed you will be missing the monthly security fixes that close well known vulnerabilities hackers already abuse to hack your system…

Better stay with the provided ubuntu kernels if security is really important for you.

3

Thank you for advice.

I’m not very familiar with kernels. I used for kernel’s configuration ‘yes “” | make oldconfig’ so I’ve extended old kernel’s configuration and the settings that the userspace applications expect from a kernel on Ubuntu were taken over, after that I’ve changed in .config CONFIG_SYSTEM_TRUSTED_KEYS=“debian/canonical-certs.pem” to CONFIG_SYSTEM_TRUSTED_KEYS="" and CONFIG_SYSTEM_REVOCATION_KEYS=“debian/canonical-revoked-certs.pem” to CONFIG_SYSTEM_REVOCATION_KEYS="", these keys were created during the compilation, with ‘nice -n19 make bindeb-pkg -j $(($(grep process /proc/cpuinfo | wc -l) +1))’, I’ve compiled and created the packages. Furthermore, I think it was the right way to compile and install the latest kernel. And I think this new kernel was safer after all.

I’ll strongly consider your advice.

But the system’s freezing also happened many times when I didn’t use my own compiled kernel. So I think this behavior isn’t a reason of my own built kernel. That is why I think there’s a security issue in snapd.

Please tell me if I’m wrong.

Best regards, Eugen Mjasiscev

4

so that means you turned off all security checking of device drivers and kernel modules … (i.e. a hacker that gained root access can now easily load a self-written keyboard driver that sends all your keystrokes to some internet bot she operates … the modules signing you turned off exists to prevent you from exactly this kind of attack)

what makes you think that a self brewed kernel that has less security patches on board and has not run through a 2 week automated testing system at canonical that tests against all possible bits and pieces of the distro could be more secure ?

do you typically ask your local baker to replace the brake pads of your car if they need replacement or would you go to a car mechanic that does that as a day job and knows all possible (security) issues that could arise from that change … ?

a distribution is like a clockwork, each part has an effect other parts, if you change one gear, another gear might all of a sudden spin too fast or too slow … the overall functionality will change and parts that have not been designed for high revs will break because hey were not designed for the speed they now run at …

if you see the hanging with an ubuntu kernel, please collect logs (from journalctl) while the issue happens (and while you run the ubuntu kernel)… (collect the logs from an ssh console from a second PC or some such or turn on persistent logging and grab the logs from the former occasion based on their timestamp etc etc).

since nobody else seems to see such behavior (we’d get a flood of bugs if this would happen more often. there are millions and millions of snapd users out there for whom it obviously works fine) it might be that something else is mis-configured on your system that causes this, your system journal might reveal something here …

5

Probably you are not aware of it, but the full sandboxing features of snap rely on some patches which are not yet included in the kernel on kernel.org

So if you want to have the full isolation features of snap, you need to apply those patches (or simply use the ubuntu kernels which have them already applied).

6

yeah, i didn’t particularly point these out since they would not actually cause a UI freeze, they only would result in dropped security of snap sandboxing after all …

the self built kernel and not using the ubuntu nvidia driver packages are way more serious here regarding the freezes …

but indeed these patches (among a few 100 others from the ubuntu kernel git tree) should be applied to have the kernel provide all bits required for full snapd sandboxing and all ubuntu security