hello-world.evil: confinement is not working correctly

Bug #1781194 reported by Peter Kleiweg
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snapcraft
Invalid
Undecided
Unassigned

Bug Description

When I run "hello-world.evil", I get this output:

Hello Evil World!
This example demonstrates the app confinement
You should see a permission denied error next
If you see this line the confinement is not working correctly, please file a bug

This is the output of the command "snap version":

snap version
snap 2.33.1
snapd 2.33.1
series 16
debian 9
kernel 4.9.0-6-amd64

This is the output of the command "snap info hello-world":

name: hello-world
summary: The 'hello-world' of snaps
publisher: canonical
contact: <email address hidden>
license: unknown
description: |
  This is a simple hello world example.
commands:
  - hello-world.env
  - hello-world.evil
  - hello-world
  - hello-world.sh
snap-id: buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ
tracking: stable
refresh-date: today at 12:58 CEST
channels:
  stable: 6.3 (27) 20kB -
  candidate: 6.3 (27) 20kB -
  beta: 6.3 (27) 20kB -
  edge: 6.3 (28) 20kB -
installed: 6.3 (27) 20kB -

Tags: confinement
information type: Public → Public Security
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

When snapd starts, it interrogates the system to decide if the necessary sandboxing requirements are met. If they are not, the system is put into forced devmode where snaps are allowed to run, but do not run under full confinement. The Debian 9 kernel is known to not meet these requirements (indeed, you should see something in syslog about snapd using forced devmode). Since the system is in forced devmode, the hello-world.evil program is giving the expected output.

While a number of distributions meet the requirements, work is ongoing to allow more systems to work in strict mode. For example, the next version of Debian will (hopefully) meet all of the requirements. In the meantime, feel free to install and use snaps, but make sure you trust the publisher (just as you would for installing a deb from an unofficial apt repository).

Changed in snapcraft:
status: New → Invalid
Revision history for this message
Peter Kleiweg (pkleiweg) wrote :

So the message "please file a bug" is a bug.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.