I an curious about Sandboxing.
As far i know sandboxing is done by AppArmor and AppArmor isn’t enable in Mainline kernel provided by Arch Linux.
So that mean the snap app aren’t in sandbox?
Though what are the advantages of sandboxing?
On snapd-git you should be able to run snap debug sandbox-features to see what kind of sandboxing elements are present on your system. Sandboxing without apparmor is not as strong as without it but it’s not an all-or-nothing game.
The benefits of sandboxing are, obviously, that it is harder to attack the system by installing a malicious application.
How secure is snap without AppArmor compared to Flatpak?
And can we see AppArmor being enabled by Default on Arch Linux?
I’m not an expert on flatpak confinement and I’m sure it has evolved since I last looked. Take what I write with a grain of salt.
Snapd without apparmor still uses device cgroups (so programs cannot use character and block devices), seccomp (so system calls or even system calls and their arguments are verified) and a mount namespace (so the filesystem view is different from other programs).
Still this leaves a big hole in access to files and the network, /home is there and can be accessed at will.
Flatpak really doesn’t compete in that space since it’s not compatible with anything but specific GTK apps that were patched or fixed to use GTK functions for picking files. Having said that flatpak, last time I looked, used a mount namespace where /home was not visible. Snaps use apparmor and, depending on the use of home interface, either allow or disallow access to parts of the home folder.
As for apparmor in Arch that’s a question to Arch developers. I don’t know if there is interest in enabling that. If you are keen perhaps you can push this motion forward?
1 Like
@mhall119 is our resident Flatpak expert, perhaps he could confirm or deny Zyga’s comments? 
(Just giving Michael the right to reply, I know this whole discussion is somewhat off-topic though the topic could be split by a mod to deal with that)
What’s the current status on re-exec in non-Ubuntu distros like Arch (I also asked about this here)? 
Actually, I’m guessing this still applies 
Also, just spotted your comment, Zyga.
Yeah. I’m working on small changes that will remove the roadblocks. I have a small branch for that (I will open the PR back home, I’m on the go now). This will only leave Nvidia support code (and specifically the hard-coded choice on which integration style to support) and /media as the last blockers.
The /media code is easy to remove as a compile time decision. Nvidia is a bit more complex because it involves a lot of code and somewhat more complex migration code.
1 Like