Sandboxing how secure is it?

What is the difference between the Flatpak sandbox and the Snap sandbox and is the Snap sandbox more secure as I hear it touted to be.

If the Snap sandbox is more secure, why?


Both Flatpak and Snap are popular packaging systems designed to distribute software across different Linux distributions, ensuring compatibility and consistent installation processes. Each uses sandboxing to provide a secure environment, isolating applications from the system and from each other. Here’s a comparison of their sandboxing approaches:

1. Sandboxing Technology

  • Flatpak:
    • Uses namespaces and seccomp (secure computing mode) for sandboxing, similar to container technologies like Docker.
    • Each Flatpak app runs in its own sandboxed environment, with limited access to system resources.
    • Applications can request access to certain parts of the system (like network or file access), but this is often managed through user prompts or predefined permissions.
  • Snap:
    • Uses AppArmor for application confinement, which allows it to define and enforce security profiles.
    • Snap packages are more integrated with the host system, which can mean more limited sandboxing compared to Flatpak.
    • Snap confinement comes in three levels: strict, classic, and devmode. “Strict” confinement provides the most isolation, while “classic” and “devmode” offer fewer restrictions, allowing access to the broader system.

2. Permissions and Access Controls

  • Flatpak:
    • Relies on Portals, a user-centered system that provides access to files, network, printing, and other system resources through an API.
    • By default, applications have limited access to the file system and other resources, though this can be expanded with user permission.
    • Flatpak permissions are highly configurable through tools like Flatseal, allowing users to adjust specific access controls for each app.
  • Snap:
    • Uses interfaces to control access to system resources, which are predefined and can be connected or disconnected by the user.
    • Interfaces control things like network, hardware, files, and even access to other Snap apps.
    • Snap’s “strict” confinement limits access significantly, while “classic” mode essentially removes most sandboxing, making the app function more like a traditional package.

3. Isolation from the Host System

  • Flatpak:
    • By default, applications are isolated from the underlying system and can only access resources through portals or permissions.
    • Flatpak apps are run with their own set of dependencies, isolated from the system, reducing dependency conflicts.
    • Applications are often distributed with a “runtime” (like GNOME or KDE), which helps to maintain isolation while providing necessary libraries.
  • Snap:
    • Snap packages are also isolated by default, but certain interface connections (such as “home” for home directory access) are often granted automatically.
    • Snap mounts each app in a squashfs filesystem and creates a loop device, but apps can still have more interaction with the system compared to Flatpak.
    • Snaps do not rely on separate runtimes like Flatpak, instead bundling dependencies directly into each package.

4. User Control and Customization

  • Flatpak:
    • Users have more granular control over the permissions through tools like Flatseal, making it easier to adjust what apps can access.
    • Portals provide a user-friendly approach to permissions, prompting users when apps request additional access.
  • Snap:
    • Users can manage Snap permissions through the command line or Snap Store GUI, but the options are generally less granular compared to Flatpak.
    • Snap provides less immediate transparency for sandboxing rules but does offer an interface-based permission model for broader control.

5. Performance Overheads

  • Flatpak:
    • Flatpak’s sandboxing can introduce performance overhead due to its use of multiple layers and runtimes, although this is usually minimal.
    • As Flatpak relies on a runtime-based approach, it can share libraries between apps, potentially reducing disk space usage and improving load times in specific scenarios.
  • Snap:
    • Snap can introduce a performance hit, particularly with larger applications, due to the mounting of each package as a loopback filesystem.
    • The performance impact may vary depending on the level of confinement and specific app demands, with “strict” confinement adding more security-related overhead.

6. Compatibility Across Distributions

  • Flatpak:
    • Designed for cross-distribution compatibility, Flatpak’s sandboxing is mostly independent of the underlying Linux distribution.
    • Flatpak apps tend to work similarly across different distributions due to the isolation provided by their runtimes.
  • Snap:
    • While Snap also aims for cross-distribution support, it is developed and maintained by Canonical, and its integration is best with Ubuntu.
    • Some distributions have limited Snap support or require extra setup, which can affect Snap’s adoption and consistency.

Summary

Feature Flatpak Snap
Sandboxing Namespaces, seccomp, portals AppArmor, interfaces
Permissions Highly customizable, user-centric portals Interfaces with preset configurations
Isolation High, runtime-based Medium, relies on system dependencies
Customization Granular control (e.g., Flatseal) Interface-based permission control
Performance Moderate overhead, runtime efficiency Varies, potential overhead with loopback mounts
Cross-Distribution Excellent, independent from host system Best on Ubuntu, varies on other distributions

Both systems aim to provide secure and consistent application environments, with Flatpak focusing more on granular user control and compatibility, while Snap provides integration that aligns closely with Ubuntu’s ecosystem.


Is this an accurate comparison?

AI generated content?

Yes because I had no better source of information, if I search online all I get is biased propaganda that favors Flathub over Snapcraft when I know that Flathub is the one with the less secure sandboxing system, most of the top search results act like Snapcraft doesn’t even have a sandbox or if it does it isnt enabled by default like in Flathub.

Well, the AI generated content is biased because it’s trained on the bias. It’s claiming Flatpak does things and Snap doesn’t, e.g:

The AI implies only Flatpak uses portals when both do. The AI implies only Flatpak uses namespaces or seccomp when both do. The AI brings up points not even relating to sandboxing such as the squashfs implementation details. The AI straight up lies.

Snaps do not rely on separate runtimes like Flatpak, instead bundling dependencies directly into each package.

Yes, we do. The base snap. The Gnome/Kde extensions. The Mesa snap. The Wine snap. Theme snaps. The list goes on.

If you want to ask specific questions, can you please ask them as a human and not a machine, because saying the internet is biased and then using something that inherently learns bias is kind of self defeating. The majority of what it says is somewhat true but misses context. And enough of it is half truths and some of it outright lies. It’s told you nothing better than you’d read on Reddit.

And by posting this AI garbage here, the AI will now bias itself even further as it learns on its own content.

Is this an accurate comparison?

No and I can’t be bothered going through every point. In summary, I’d say the Snap sandbox is more secure where the OS has the patches or features required to enable it. On the other hand, I’d say the Flatpak sandbox is more portable albeit weaker. If you’re on a system where the snap sandboxing is barely functional, I’d say the Flatpak sandbox is better. If you’re on a system where the Snap sandbox is fully functional, I’d say the Snap sandbox is generally better.

In reality, both are still gonna get zero day exploits.

1 Like

Potentially Flathub is partly taking lead through the propagation of misinformation and no one is out there defending the correct representation of Snapcraft against Flathub in the myriad of social media platforms.

Flathub is winning mostly due to the properegation of misinformation, taking advantage of the plasticity of the younger generation of Linux users presenting itself as the “cooler option” when in reality Flathub is a less professional outfit, potentially with less funding, and furthermore I think in the long run Flathub poses a serious risk of harm to the greater Linux community if left to grow unchecked and without serious competition.

Snapcraft needs to pull along side Flathub in the lead or we will see Flathub take a monopoly over the Linux application distribution market, and this will only cause serious harm.

It is of vital importance that we defend Snapcraft adequately against the misinformation and progerganda disseminated via social media plaforms.

As such it is important that those who are “in the know” and capable of writing correct comparisons between the technology do so, and that these are then appropriately disseminated across the social media platforms on the internet such as Reddit.

I don’t think people here see Flatpak as an enemy. People here actively help out with stuff like Portals which benefits both environments. If Flatpak outright dominates snap, then eventually someone will make a decision to throw in the towel and give up on it. Currently it’s nowhere near that situation.

I do think we have a PR problem, but I guarantee you lots of us have tried in various ways, and IMO, the way to demonstrate snapd is a viable platform is to actually release high quality snaps, of the kind that are so good, people don’t realise they’re a snap at all.

When comparing my own snaps vs the equivilents on Flathub, Flathub gets 10x the community interaction (bug reports, contributions, social media coverage).

And I get 5x the users, because in reality, generally the Flatpak equivilents and my own are about the same for all practical purposes. No one cares they’re running snaps if they work, only when they don’t, whereas people actively see it as a goal to use Flatpaks, which is cool, they’re not the enemy, and it’s a nice community with good tech (like ours!)

We can help ourselves out without having to feel like we have to take that away from others.

The individuals behind Flathub are operating in the manner that it’s “their way or the highway” they believe that they can gatekeep the Linux application market, this is a dangerous precedent to take, this is a direct threat to the freedom of the Linux community and if we allow them to form a monopoly we will lose a significant portion of our freedoms to them.

I’m going to stop responding on these points because I think I can speak for the community here in saying that we’re not making any accusations about what our friends over on the other side are up to. Especially when such criticism is the kind that people say against snap itself and probably more valid for us than them.

If you have any further questions on the sandboxing of snapd, please feel free to ask.

Are you aware of any outlets currently providing fair and unbiased comparisons that users who end up on this thread can go to for a comparison of the Sandboxing technology and various security aspects to make an informed decision between the two competing platforms?