Polkadot Snap: Landlock syscall fails inside confinement

snap
1

We’re currently packaging the Polkadot binary as a Snap to make it easier for operators to install and maintain.

When testing validator mode inside the Snap, we’ve hit a blocker: Polkadot attempts to enable extra process isolation via Linux Landlock, but the landlock_restrict_self syscall fails in the Snap environment. This happens because Snaps are already confined by AppArmor and seccomp, which makes Landlock unavailable.

Our concern is that this forces users to run with the flag:

--insecure-validator-i-know-what-i-do

which weakens security guarantees.

Questions for the Snap team:

  • Is there any way to expose Landlock capabilities within a Snap, or have the Snap confinement recognized as an equivalent?
  • If direct Landlock support isn’t possible, what’s the recommended approach to package Polkadot securely as a Snap without relying on the insecure validator flag?
  • Would it make sense to handle this at the Snap level (e.g., through an interface, confinement tweak, or guidance on security model alignment)?

Our goal is to ship a secure, confined Snap for Polkadot validators without compromising on safety. Any advice or suggested next steps from the Snap side would be very helpful.

Thanks!

2

Indeed, Snap should allow the three Landlock syscalls the same way it should also allow the seccomp syscall. FYI, most container runtimes were updated with similar changes.

Snap supporting Landlock would also be beneficial for other packaged apps like Polkadot that already leverage Landlock (when available).

3

I created a PR: interfaces/seccomp/template: allow landlock_* in default template by l0kod · Pull Request #15928 · canonical/snapd · GitHub

Could you please test this change and reply on GitHub?

3 Likes
4

Probably a winner on quickest turnaround of viable PR’s I’ve seen here.

In context of the patch above, and early review looking positive, the answer really is “wait”, but the specifics are, you’d need a newer version of snapd, which means it might be worth adding to an assumes: stanza in your snapcraft.yaml, once it’s in a stable release.

5

Sure, I have tested and it works as expected. I will be adding this comment to the github PR

Thanks

1 Like