jdstrand:
Commands from classic snaps do not run under the ‘unconfined’ security label, they run under their own snap-specific security labels (eg, ‘snap.subiquity.subiquity’) with policy that is ‘effectively unconfined’. As such, with this call stack the policy transitions are unconfined -> snap-confine -> snap.subiquity.subiquity-service -> snap-confine -> snap.subiquity.subiquity. Since we are going from a !unconfined to differently-!unconfined security label when passing the fd, file_inherit is triggered.
Yes I understand all that, what I don’t understand is why it’s designed that way, i.e. why file_inherit triggers in this situation and not unconfined → confined.
