Snap network confinement under WSL2

I create a udp server in a windows pc, and a client in my ubuntu in the form of a snap (stable, and strict, no interface declaration in the snapcraft.yaml). name: udpclient # you probably want to 'snapcraft register ’

base: core20 # the base snap is the execution environment for this snap

version: ‘0.1’ # just for humans, typically ‘1.2+git’ or ‘1.3.2’

summary: Single-line elevator pitch for your amazing snap # 79 char long summary

description: |

This is my-snap’s description. grade: stable # must be ‘stable’ to release into candidate/stable channels

confinement: strict # use ‘strict’ once you have the right plugs and slots

apps:

udpclient:

command: udpclient

parts:

udpclient:

plugin: dump

source: ./bin

According to the snap strict confinement rule, what I understand is that the connection is not supposed to be working; however, the connection is unexpectedly working.
Then I tried the other way around, windows client, ubuntu server: still working.

Can anyone give a me on this? I think the connection should not be establised, since the network interface is not declared in the snapcraft.yaml. Running environment: windows 10, and ubuntu 20.04 is running in wsl2. udp is in local network (192.168.x.x)

The kernel provided by Microsoft by default for WSL2 does not include enough AppArmor support for Snap confinement to be operational. Therefore, any confinement rules are unenforced unless you change your kernel for one with the appropriate bits enabled.

Hi Diddledani, does this one https://github.com/diddlesnaps/WSL2-Linux-Kernel/tree/snapd-support enable AppArmor?

yes, it does. download it from the releases page: https://github.com/diddlesnaps/WSL2-Linux-Kernel/releases/latest

Hi Diddledani, thank you for your reply. I switched the kernel; however, it seems that apparmor does not start correctly. In systemctl status apparmor.server it shows: apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed at Mon 2022-09-26 10:03:37 CST; 7min ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/

Sep 26 10:03:37 C21793 systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.

Therefore, the snap confinement still does not work.

Correct. There are a few things that need to be exactly right that aren’t set up by the Microsoft boot up. You need to mount securityfs and then restart apparmor followed by snapd:

sudo mount -t securityfs securityfs /sys/kernel/security
sudo systemctl restart apparmor.service
sudo systemctl restart snapd.service

(This is from memory because I’m not at my computer right now so the service names might be incorrect)