Hi folks,
So I’ve been attempting to stay away from snap for a while now, but it appears this is getting less possible with the major browsers such as firefox and chrome, as well as others such as skype and vscode moving to effectively force snap usage.
With that in mind, I figured it would be worthwhile to discuss the primary concern I have with this snap architecture, and that is specifically security. Having looked into how snap works, under the hood it’s a lot of apparmor and seccomp rules. I can certainly appreciate having those, but the problem lies that at the end of the day when you install a snap, you have no idea what the author has chosen to enable for themselves. You can choose to do a snap connections check prior to running, but even then it’s largely out of your hands.
One fun example is that spotify has the “home” interface. In fact, it appears basically everything I’ve downloaded has that. As someone who values privacy and security, i would certainly prefer the applications not having access to my home directory. In the case of spotify, i disconnected home manually and everything appears to still run just fine. So far as I can tell, home mounting and exposing your home directory spotify is superfluous and simply opens another attack vector.
Now let’s say I simply manually remove home connection from all the snaps i download. Ok, manual, but we’re good right? Not so fast! The rules that are being run on my behalf for apparmor and seccomp are out of my control and subject to change without me having any clue. For instance, there was a “temporary” change to the browser apparmor rules back in 2022 to allow everyone who utilizes the browser rules read write access to the jupyter folder (https://github.com/snapcore/snapd/pull/11824). That rule is still active today and was written to solve a specific problem but deployed to effect everyone. Unless I manually review all apparmor and secomp rules, I’ll have no idea what’s going on.
I personally believe there needs to be some sort of “security” or “paranoid” mode. Basically, a way for the end user to be ensured that their specific requirements are being followed, above any for the app. Likely this would be in the form of a blanket default paranoid mode, and a custom one where the end use can specify whatever they want to preempt the existing rules for the snap. Will this break some snaps? Absolutely. That’s on the end user though. If they want to apply custom or paranoid rules, they will take the responsibility for having it potentially break the things they’re trying to run. Something like snap install whatever --paranoid [profile]
.
I’ve had many discussions with others who have the exact same concern. My hope is that updates specific to the user’s ability to control security will open the door for broader use of this technology.