When new technology or ideas are looking for wide adoption, it’s imperative that development teams take a holistic approach to supporting the widest amount of use cases, and not partake in a distribution war that only further takes Linux distributions down the path of vendor lock in. The intent of linux has always been an open standards approach.
Take for instance the confinement case of snapd. Instead of using an open standard approach to security confinement based on the customer choice, it is locked-in to your distro of choice. While some may wish to debate the confinement choice of selinux vs apparmor (and that would be wrong because you can not compare an approach based on security science with a formal mathematical model vs one based on pseudo-science and security theater), this should be a choice and not hard coded. That only reduces the likelihood of snap adoption. The confinement choice is binary - you only run one or the other, and that should be a developer decision.
- modify autogen.sh, rules, control, and snapd.install file to identify the library installed as the configure options…not the distro. ie “if libselinux, then --enable-static-libselinux”, “if libapparmor, then --enable-static-libapparmor”. We have tested this on Ubuntu 20.04 with selinux in enforced mode and all unit tests pass.
- fix all unsquashfs in snapd/tests and squashfs.go files to use “unsquashfs -u” so that snapd can be compiled with user-xattrs support and you don’t have to compile as root (I don’t think I have to discuss why that is not a good approach). We have tested this on Ubuntu 20.04 with selinux in enforced mode and all unit tests pass.
- Include the snappy selinux policy in the standard selinux refpolicy. There is no reason why this should only be available in the fedora policy making it a RHEL/Fedora only option.
Let’s focus on democratizing sound security confinement capabilities and end the madness of vendor lock-in with new technology. This only helps the Linux cause, instead of giving yet another argument for the closed source pundits to use against the community.