Manjaro has strict confinement out of the box; I just checked this in a VM:
$ snap debug confinement
strict
$ snap debug sandbox-features
apparmor: kernel:caps kernel:dbus kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:full
confinement-options: classic devmode strict
dbus: mediated-bus-access
kmod: mediated-modprobe
mount: freezer-cgroup-v1 layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev: device-cgroup-v1 device-filtering tagging
I thought Solus had strict confinement too, but I don’t have a VM to check this. Ubuntu derivatives should also have strict confinement, but I’m guessing this is not what you mean.
@jdstrand posted a great summary of what is needed at the moment:
There are two pieces of AppArmor that need special attention by the distribution in order to support strict confinement in snaps: AF_UNIX and networking. An additional patch is needed to the kernel to mediate AF_UNIX and the AppArmor developers are working to upstream this (there is an intersection with LSM stacking that has delayed its progress, but it will happen).
For networking, either the distribution needs to patch their kernel for the ‘network compat’ patch, or the distribution needs to have a new enough upstream kernel with AppArmor’s ‘networkv8’ along with the AppArmor 3 userspace (which is currently in beta but not released yet).
For the second one, we just need to wait until every distro gets the latest AppArmor. The first one isn’t upstreamed yet, @jdstrand explained why:
As outlined in my previous response, there is only one piece missing from the upstream kernel: AF_UNIX mediation support. Upstreaming that has not stopped, but has been complicated by its intersection with LSM stacking, which is also important because when fully realized in the upstream kernel will allow strict mode snaps everywhere, including enforcing SELinux systems.
LSM stacking is a long way off, but AF_UNIX support might come sooner:
Do note that AF_UNIX mediation in AppArmor does not strictly depend on LSM stacking landing, but many of the remaining questions wrt LSM stacking deal with the network stack which affects AF_UNIX. It is theoretically possible to land AF_UNIX ahead of LSM stacking, but we’d like to at least have many of the LSM stacking network questions answered (even if not committed) before submitting it since we would not want to redo the patchset later (or have it NAKd out of hand if it were deemed incompatible with a future LSM stacking feature).
6 Likes
