Snap confinement issue

Hello all

snap disconnect chromium:network does not work in debian 9.12 for me.

snap --version

snap 2.44.1
snapd 2.44.1
series 16
debian 9
kernel 4.9.0-12-amd64

app armor error message -

kernel: audit: type=1400 audit(1586408374.371:19): apparmor="DENIED" operation="capable" profile="/snap/core/8935/usr/lib/snapd/snap-confine" pid=1151 comm="snap-confine" capability=4  capname="fsetid"

while snap connections chromium shows it is not connected -

Interface                 Plug                               Slot                            Notes

audio-playback chromium:audio-playback :audio-playback -
audio-record chromium:audio-record :audio-record -
browser-support chromium:browser-sandbox :browser-support -
camera chromium:camera :camera -
content[gtk-3-themes] chromium:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] chromium:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] chromium:sound-themes gtk-common-themes:sound-themes -
cups-control chromium:cups-control :cups-control -
desktop chromium:desktop :desktop -
gsettings chromium:gsettings :gsettings -
home chromium:home :home -
joystick chromium:joystick :joystick -
mount-observe chromium:mount-observe - -
mpris - chromium:mpris -
network chromium:network - -
network-bind chromium:network-bind - -
network-manager chromium:network-manager - -
opengl chromium:opengl :opengl

Does snap debug confinement output strict? if it says anything else then you are running in a mode that cannot run fully confined. This means that apps will be able to break out because the sandbox is weak(er) than it should be.

thanks for the reply
how can I change the confinement mode to strict?

Note, this is unrelated and can be ignored.

The Debian kernel does not have the two patchsets required for strict mode snaps: network compat and unix rules. If you used a patched kernel with these, you should have strict mode.

I replaced Debian’s the chromium apparmor profile at /var/lib/snapd/apparmor/profiles/ with Ubuntu’s and network got disabled as expected.

The issue is in Debian the apparmor profile does not get automatically modified when you do snap disconnect chromium:network whereas in Ubuntu it does.

The issue seems to be with snapd’s implementation in Debian than a kernel issue.