Limit snap access to /home/user/snap

Myster · August 12, 2018, 8:15pm

Is there any way to limit a snap to access only its folder inside /home/user/snap? Or at least, without being able to see outside this /home/user/snap folder?

I mean, in my case, snaps should not be able to access anything other than their own folder inside /home/user/snap. Or at least, they should be limited to see things only inside /home/user/snap folder.

I even tried something like:

sudo snap disconnect chromium:home core:home

But it is useless, as snaps continue to have access to everything inside /home/user

lucyllewy · August 12, 2018, 10:11pm

A snap without the home interface is not supposed to be able to read any file in $HOME. If your snap can do that then you either found a bug, or your platform does not provide apparmor.

ogra · August 12, 2018, 11:17pm

sounds pretty much like

is back …

Myster · August 13, 2018, 5:34am

Well, @lucyllewy

sudo aa-enabled
Yes

And

sudo aa-status
apparmor module is loaded.
52 profiles are loaded.
29 profiles are in enforce mode.
   /snap/core/5145/usr/lib/snapd/snap-confine
   /snap/core/5145/usr/lib/snapd/snap-confine//mount-namespace-capture-helper

sudo aa-status
apparmor module is loaded.
52 profiles are loaded.
29 profiles are in enforce mode.
   /snap/core/5145/usr/lib/snapd/snap-confine
   /snap/core/5145/usr/lib/snapd/snap-confine//mount-namespace-capture-helper

(…)

sudo aa-status|grep snap
   /snap/core/5145/usr/lib/snapd/snap-confine
   /snap/core/5145/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/lib/snapd/snap-confine//snap_update_ns
   snap-update-ns.chromium
   snap-update-ns.core
   snap.chromium.chromium
   snap.core.hook.configure

Running on a up to date Debian Sid x64.

@ogra
Do not think so,

snap interfaces chromium
Slot                     Plug
:browser-support         chromium:browser-sandbox
:cups-control            chromium
:network                 chromium
:opengl                  chromium
:pulseaudio              chromium
:screen-inhibit-control  chromium
:unity7                  chromium
:upower-observe          chromium
:x11                     chromium
-                        chromium:camera
-                        chromium:desktop
-                        chromium:gsettings
-                        chromium:home
-                        chromium:mount-observe
-                        chromium:network-manager
-                        chromium:password-manager-service
-                        chromium:removable-media

Snaps can access anything, even when interfaces are removed… Not limited to Chromium, but here, Chromium can access everything, even if interfaces are disconnected.

oSoMoN · August 13, 2018, 7:42am

I am not seeing that. Testing with the chromium snap, if I issue snap disconnect chromium:home and then run the snap, when trying to save a web page to disk I am unable to browse my home directory.

What makes you say that chromium can still access the home directory?

Myster · August 13, 2018, 7:56am

Open and write any file inside my /home/user directory.

jdstrand · August 13, 2018, 4:03pm

Debian doesn’t yet support strict mode snaps. Eg:

$ snap version
snap    2.34.3
snapd   2.34.3
series  16
debian  -
kernel  4.17.0-1-amd64

$ snap debug sandbox-features|grep confinement
confinement-options:  classic devmode

Myster · August 14, 2018, 8:26am

From where comes the limitation? The linux kernel or debian snapd package?