Security/Paranoid mode

Hi folks,

So I’ve been attempting to stay away from snap for a while now, but it appears this is getting less possible with the major browsers such as firefox and chrome, as well as others such as skype and vscode moving to effectively force snap usage.

With that in mind, I figured it would be worthwhile to discuss the primary concern I have with this snap architecture, and that is specifically security. Having looked into how snap works, under the hood it’s a lot of apparmor and seccomp rules. I can certainly appreciate having those, but the problem lies that at the end of the day when you install a snap, you have no idea what the author has chosen to enable for themselves. You can choose to do a snap connections check prior to running, but even then it’s largely out of your hands.

One fun example is that spotify has the “home” interface. In fact, it appears basically everything I’ve downloaded has that. As someone who values privacy and security, i would certainly prefer the applications not having access to my home directory. In the case of spotify, i disconnected home manually and everything appears to still run just fine. So far as I can tell, home mounting and exposing your home directory spotify is superfluous and simply opens another attack vector.

Now let’s say I simply manually remove home connection from all the snaps i download. Ok, manual, but we’re good right? Not so fast! The rules that are being run on my behalf for apparmor and seccomp are out of my control and subject to change without me having any clue. For instance, there was a “temporary” change to the browser apparmor rules back in 2022 to allow everyone who utilizes the browser rules read write access to the jupyter folder (https://github.com/snapcore/snapd/pull/11824). That rule is still active today and was written to solve a specific problem but deployed to effect everyone. Unless I manually review all apparmor and secomp rules, I’ll have no idea what’s going on.

I personally believe there needs to be some sort of “security” or “paranoid” mode. Basically, a way for the end user to be ensured that their specific requirements are being followed, above any for the app. Likely this would be in the form of a blanket default paranoid mode, and a custom one where the end use can specify whatever they want to preempt the existing rules for the snap. Will this break some snaps? Absolutely. That’s on the end user though. If they want to apply custom or paranoid rules, they will take the responsibility for having it potentially break the things they’re trying to run. Something like snap install whatever --paranoid [profile].

I’ve had many discussions with others who have the exact same concern. My hope is that updates specific to the user’s ability to control security will open the door for broader use of this technology.

For what it’s worth, the snap developer doesn’t decide what interfaces automatically connect, snapd does that locally and accepts overrides when those overrides have been generated by Canonical via what’s usually a public vote process from the review team on these forums, which is enforced by a public/private key signature that can’t be spoofed.

home doesn’t need an override as snapd considers it eligible for autoconnection. For the Jupyter issue above, the line is in the segment of the code that relies upon having opted into the more highly privileged section of the interface, and distributing a snap with that permission defined will instantly trigger a store review and block until permission is granted by the public voting process.

Explicitly then, me as random snapper James, cannot upload a snap that can access your Jupyter notebook without asking for permission from the reviewers, who are keen on pushing back and saying no to requests. That specific browser-support interface is known to be extremely compromising to the sandbox if given to untrusted people and I imagine there’s less than 10 snaps that have it in its full capacity.

I do think the idea of a paranoid mode that disables everything has merit, but hopefully it’s helpful knowing it’s not as simple as a snap developer being able to use an interface unconditionally. The vast majority of interfaces require store approval or user approval. In some cases, some permissions will be set up to require store and user approval, I.E, a reviewer must accept that you have a legitimate use case for that interface to be distributed but still demand the end user opts into it.

For Spotify, I imagine the home access is to access ~/Music and similar, Spotify can be used entirely online for music streaming, but it does still have local music playback functionality, and while the XDG Desktop Portals could probably work around this, their ability to access folders as opposed to individual files didn’t even exist until Ubuntu 22.04, whereas the Spotify snap itself is far older, and not everyone is running recent distributions yet.

I do still agree your idea has merit, but hopefully things aren’t as dire as they seem at first glance. The home interface specifically shields against access to e.g ~/.config, ~/.ssh, etc, so even though the interface is still giving a lot of access, it’s still significantly cutoff and doesn’t include all of $HOME.

James,

Appreciate the thoughtful response. Totally get the team reviewing who needs access to what. I personally tend to operate under the “trust no one” approach. While mostly impossible, you can still limit where you trust and what you trust. For reference, this is why I love running things in docker/incus and have built a ton of tooling around it. It provides me with a way to utilize name spaces I choose, seccomp I choose, explicit volume mounting of my own choosing, etc. At that point, I can then rely on whatever the application is to do what it needs to.

I admit I’m more of a power user than most when it comes to that stuff, but it provides peace of mind that no matter what updates someone puts on the code they’re using, it won’t be able to go around the baseline environment I setup for it.

Hi! Do you have that tooling published somewhere?

Thanks!

Hey! Not really, I basically have a custom desktop setup I created which includes a bunch of that. That said, it’s not terribly complicated. Mostly just involves ensuring to volume mount in things like x11 and whatever dbus or device is needed.